gitea-admin
/
hetzner-ansible
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

DEV-999: alle rollen innerhalb von setup ausgelagert

Browse Source
qa
Hoan To 3 years ago
parent 32d867ef30
commit f2dae18111
42 changed files with 81 additions and 991 deletions
Show Stats Download Patch File Download Diff File

12
create-server.yml
Unescape Escape View File

@ -134,15 +134,19 @@
when:
- docker_enabled
- role: common
- role: hetzner-ansible-common
- role: devsec.hardening.ssh_hardening
tags:
- ssh_hardening
- role: filebeat
- role: hetzner-ansible-filebeat
when: filebeat_enabled | default(True)
- role: node_exporter
- role: hetzner-ansible-node-exporter
when: node_exporter_enabled | default(True)
- role: traefik
- role: hetzner-ansible-traefik
when: traefik_enabled | default(True)
#############################################################

30
galaxy-requirements.yml
Unescape Escape View File

@ -3,19 +3,45 @@ roles:
- name: geerlingguy.docker
version: 6.0.3
- name: cloudalchemy.blackbox-exporter
version: 1.0.0
src: https://github.com/cloudalchemy/ansible-blackbox-exporter
scm: git
version: 1.0.0
- name: postfix
version: v3.6.2
src: https://github.com/Oefenweb/ansible-postfix.git
scm: git
version: v3.6.2
- name: hetzner-ansible-dns
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-dns-role.git
scm: git
version: 0.0.5
- name: hetzner-ansible-hcloud
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-hcloud-role.git
scm: git
version: 0.0.2
- name: hetzner-ansible-common
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-common-role.git
scm: git
version: 0.0.3
- name: hetzner-ansible-filebeat
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-filebeat-role.git
scm: git
version: 0.0.4
- name: hetzner-ansible-metricbeat
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-metricbeat-role.git
scm: git
version: 0.0.3
- name: hetzner-ansible-node-exporter
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-node-exporter-role.git
scm: git
version: 0.0.3
- name: hetzner-ansible-traefik
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-traefik-role.git
scm: git
version: 0.0.3
- name: hetzner-ansible-sma-deploy
src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-sma-deploy-role.git
scm: git
version: 0.0.3
collections:

4
gitlab.clone.roles.sh
Unescape Escape View File

@ -5,6 +5,6 @@ git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzn
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-filebeat-role.git ../hetzner-ansible-filebeat-role
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-hcloud-role.git ../hetzner-ansible-hcloud-role
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-metricbeat-role.git ../hetzner-ansible-metricbeat-role
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-node_exporter-role.git ../hetzner-ansible-node_exporter-role.
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-sma_deploy-role.git ../hetzner-ansible-sma_deploy-role
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-node-exporter-role.git ../hetzner-ansible-node-exporter-role.
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-sma-deploy-role.git ../hetzner-ansible-sma-deploy-role
git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-traefik-role.git ../hetzner-ansible-traefik-role

2
kubespray

@ -1 +1 @@
Subproject commit 0634be4c8819cbb78afd6e53fc99cb001edba8c0
Subproject commit 00550ba832aa5d4f59bce03ead09d9e940e3a672

10
restore-remote-database-backup.yml
Unescape Escape View File

@ -95,12 +95,16 @@
- always
roles:
- role: common
- role: hetzner-ansible-common
- role: filebeat
- role: devsec.hardening.ssh_hardening
tags:
- ssh_hardening
- role: hetzner-ansible-filebeat
when: filebeat_enabled | default(True)
- role: node_exporter
- role: hetzner-ansible-node-exporter
when: node_exporter_enabled | default(True)
- role: restore_{{ database_engine }}

7
roles/common/configs/docker/config.json.j2
Unescape Escape View File

@ -1,7 +0,0 @@
{
"auths": {
"{{ shared_service_hostname_harbor }}": {
"auth": "{{ [harbor_username, harbor_token] | join(":") | string | b64encode }}"
}
}
}

8
roles/common/configs/docker/daemon.json.j2
Unescape Escape View File

@ -1,8 +0,0 @@
{
"log-driver": "json-file",
"log-opts": {
"max-size": "1m",
"max-file": "5",
"compress": "true"
}
}

1
roles/common/defaults/main.yml
Unescape Escape View File

@ -1 +0,0 @@
---

15
roles/common/handlers/main.yml
Unescape Escape View File

@ -1,15 +0,0 @@
---
- name: restart ntp
service:
name=ntpd
state=restarted
- name: restart ssh
service:
name=sshd
state=restarted
- name: "Regenerate grub config"
become: yes
command: "/usr/sbin/update-grub"

296
roles/common/tasks/main.yml
Unescape Escape View File

@ -1,296 +0,0 @@
---
### tags:
### users
### install
### upgrade
### config
### update_etc_hosts
### root_authorized_keys
- name: "Set hostname to <{{ inventory_hostname }}>"
hostname:
name: "{{ inventory_hostname }}"
- name: "Setting hosts configuration in /etc/hosts"
blockinfile:
marker: "# {mark} managed by ansible (hosts config for {{ inventory_hostname }})"
path: "/etc/hosts"
mode: '0644'
state: present
create: yes
block: |
{{ '127.0.1.1 ' + inventory_hostname }}
{{ '# shared services without domain (only internal available)' }}
{% for server_info in stage_server_infos | default([]) | sort(attribute='name') %}
{% if
server_info.service in ['elastic','logstash','maria','postgres']
%}
{{ server_info.private_ip + ' ' + server_info.name }}
{% endif %}
{% endfor %}
{{ '# shared services with domain (maybe external available)' }}
{% for server_info in stage_server_infos | default([]) | sort(attribute='name') %}
{% if
server_info.service in ['harbor','gitea','postfix','keycloak','iam']
or server_info.name == shared_service_host_management | default([])
%}
{{ server_info.private_ip + ' ' + server_info.name + '.' + domain_env }}
{% endif %}
{% endfor %}
{{ '# additional services behind kube loadbalancer (maybe available)' }}
{% for host in shared_service_additional_hosts|default([]) %}
{% if shared_service_kube_loadbalancer_ip_not_available == host.ip %}
{{ '# loadbalancer private ip not available for ' + stage + ':' + host.name + ' (use dynamic inventory)'}}
{% else %}
{{ host.ip + ' ' + host.name }}
{% endif %}
{% endfor %}
when:
- "'hcloud' in group_names"
tags:
- update_etc_hosts
- name: "Adding authorized keys for root"
ansible.posix.authorized_key:
user: root
state: present
key: "{{ lookup('file', 'users/' + item + '/ssh.pub') }}"
loop: '{{ smardigo_plattform_users }}'
tags:
- users
- root_authorized_keys
# ansible-lint related hint
# https://github.com/ansible-community/ansible-lint/issues/1621
# => issue whitelisted
- name: "Removing outdated authorized keys for root" # noqa deprecated-bare-vars
ansible.posix.authorized_key:
user: root
state: absent
key: "{{ lookup('file', 'users/outdated/' + item.path) }}"
with_community.general.filetree: users/outdated/
tags:
- users
- root_authorized_keys
- name: "Read current users" # noqa risky-shell-pipe
shell: "getent passwd | awk -F: '$3 > 999 {print $1}'"
register: current_users
changed_when: false
tags:
- users
- name: "Remove outdated users"
user: name={{ item }} state=absent remove=yes
with_items: "{{ current_users.stdout_lines }}"
when: not ((item in default_users) or (item in smardigo_plattform_users))
tags:
- users
- name: "Create users"
ansible.builtin.user:
name: '{{ item }}'
groups: '{{ sudo_group }}'
shell: '/bin/bash'
state: present
append: yes
loop: '{{ smardigo_plattform_users }}'
loop_control:
index_var: index
tags:
- users
- name: "Enable passwordless sudo"
ansible.builtin.lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
tags:
- users
# TODO check usage of key_options "no-agent-forwarding, no-agent-forwarding, no-X11-forwarding"
- name: "Set up authorized users"
ansible.posix.authorized_key:
user: '{{ item }}'
state: present
exclusive: true
key: "{{ lookup('file', '{{ playbook_dir }}/users/{{ item }}/ssh.pub') }}"
loop: '{{ smardigo_plattform_users | difference(["elastic"]) }}'
tags:
- users
- name: "Update available package list"
apt:
update_cache: yes
tags:
- install
- upgrade
when: ansible_distribution == "Ubuntu"
- name: "Create crontab entry to remove unused docker objects if necessary"
ansible.builtin.cron:
name: "remove unused docker objects"
minute: "0"
hour: "1"
job: "docker system prune -af --filter label!=prune=disable"
state: "{{ 'present' if docker_enabled else 'absent' }}"
- name: "Ensure docker configuration directory exists"
file:
path: '/home/{{ item }}/.docker/'
state: directory
owner: '{{ item }}'
group: '{{ item }}'
mode: '0755'
loop: '{{ smardigo_plattform_users }}'
when: docker_enabled
tags:
- users
- config
- name: "Insert/Update docker configuration"
template:
src: 'configs/docker/config.json.j2'
dest: '/home/{{ item }}/.docker/config.json'
owner: '{{ item }}'
group: '{{ item }}'
mode: 0600
loop: '{{ smardigo_plattform_users }}'
when:
- docker_enabled
- docker_config_enabled
tags:
- users
- config
- name: "Install apt-dependencies for {{ inventory_hostname }}"
apt:
name: "{{ item }}"
state: 'present'
loop: "{{ common_apt_dependencies + additional_apt_dependencies | default([]) }}"
when: ansible_distribution == "Ubuntu"
tags:
- install
- name: "Install python3-pip dependencies for {{ inventory_hostname }}"
pip:
name: "{{ item }}"
state: present
become: True
loop: "{{ common_pip_dependencies + additional_pip_dependencies | default([]) }}"
tags:
- install
- name: 'Ensures </etc/bash_completion.d> directory exists'
file:
state: directory
path: '/etc/bash_completion.d'
mode: '0755'
tags:
- install
- name: "Download docker bash completion"
ansible.builtin.get_url:
url: https://raw.githubusercontent.com/docker/cli/v20.10.6/contrib/completion/bash/docker
dest: /etc/bash_completion.d/docker
mode: '644'
when: docker_enabled
tags:
- install
- name: "Ensure docker configuration directory exists"
file:
path: '/root/.docker/'
state: directory
owner: 'root'
group: 'root'
mode: '0755'
when: docker_enabled
tags:
- config
- name: "Insert/Update docker configuration"
template:
src: 'configs/docker/config.json.j2'
dest: '/root/.docker/config.json'
owner: 'root'
group: 'root'
mode: 0600
when:
- docker_enabled
- docker_config_enabled
tags:
- config
- name: "Ensure docker daemon configuration directory exists"
file:
path: '/etc/docker'
state: directory
owner: 'root'
group: 'root'
mode: '0755'
when: docker_enabled
tags:
- config
- name: "Remove docker daemon configuration when docker_enabled=false"
file:
state: absent
path: '/etc/docker/daemon.json'
when: not docker_enabled
tags:
- config
- name: "Insert/Update docker daemon configuration"
template:
src: 'configs/docker/daemon.json.j2'
dest: '/etc/docker/daemon.json'
owner: 'root'
group: 'root'
mode: 0600
when: docker_enabled
tags:
- config
- name: "Create Docker network"
community.docker.docker_network:
name: "{{ item }}"
labels:
prune: disable
when: docker_enabled
loop:
- front-tier
- back-tier
# elasticsearch production mode requirements
- name: "Set vm.max_map_count"
sysctl:
name: vm.max_map_count
value: '262144'
sysctl_set: yes
state: present
tags:
- config
# elasticsearch production mode requirements
- name: "Set fs.file-max"
sysctl:
name: fs.file-max
value: '65536'
sysctl_set: yes
state: present
tags:
- config
- name: "configure ssh_hardening"
include_role:
# include role from collection called 'devsec'
name: devsec.hardening.ssh_hardening
apply:
tags:
- ssh_hardening
tags:
- ssh_hardening

1
roles/common/templates/resolv.conf.j2
Unescape Escape View File

@ -1 +0,0 @@
nameserver 8.8.8.8

6
roles/connect/tasks/main.yml
Unescape Escape View File

@ -48,7 +48,7 @@
- name: "Deploy docker templates for {{ connect_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -60,7 +60,7 @@
- name: "Deploy service templates for {{ connect_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "connect"
@ -71,7 +71,7 @@
- name: "Deploy certificate templates for {{ connect_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "elastic-certs/{{ stage }}-certs/ca"

2
roles/connect_compact/tasks/main.yml
Unescape Escape View File

@ -39,7 +39,7 @@
- name: "Deploy docker templates for {{ connect_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "connect-compact"

4
roles/connect_wordpress/tasks/main.yml
Unescape Escape View File

@ -43,7 +43,7 @@
- name: "Deploy docker templates for {{ wordpress_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -55,7 +55,7 @@
- name: "Deploy service templates for {{ wordpress_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "wordpress"

6
roles/elastic/tasks/main.yaml
Unescape Escape View File

@ -24,7 +24,7 @@
- name: "Deploy docker templates for {{ elastic_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -38,7 +38,7 @@
- name: "Deploy service templates for {{ elastic_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "elastic"
@ -51,7 +51,7 @@
- name: "Deploy certificate templates for {{ elastic_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "elastic-certs/{{ stage }}-certs"

3
roles/filebeat/defaults/main.yaml
Unescape Escape View File

@ -1,3 +0,0 @@
---
filebeat_image_name: "docker.elastic.co/beats/filebeat"

75
roles/filebeat/tasks/main.yaml
Unescape Escape View File

@ -1,75 +0,0 @@
---
### tags:
### update_certs
### update_config
### update_deployment
- name: "Check if filebeat/docker-compose.yml exists"
stat:
path: '{{ service_base_path }}/filebeat/docker-compose.yml'
register: check_docker_compose_file
tags:
- update_config
- update_deployment
- name: "Stop filebeat"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/filebeat'
state: absent
when: check_docker_compose_file.stat.exists
tags:
- update_config
- update_deployment
- name: "Deploy docker templates for filebeat"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "_docker"
current_base_path: "{{ service_base_path }}"
current_destination: "filebeat"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
current_docker: "{{ filebeat_docker }}"
tags:
- update_config
- update_deployment
- name: "Deploy service templates for filebeat"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "filebeat"
current_base_path: "{{ service_base_path }}"
current_destination: "filebeat"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
tags:
- update_config
- name: "Deploy certificate templates for filebeat"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "elastic-certs/{{ stage }}-certs"
current_base_path: "{{ service_base_path }}"
current_destination: "filebeat/certs"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
cleanup_destination: "true"
tags:
- update_certs
- update_config
- name: "Update filebeat"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/filebeat'
state: present
pull: yes
tags:
- update_config
- update_deployment

25
roles/filebeat/vars/main.yml
Unescape Escape View File

@ -1,25 +0,0 @@
---
filebeat_id: "{{ inventory_hostname }}-filebeat"
filebeat_docker: {
services: [
{
name: "{{ filebeat_id }}",
image_name: "{{ filebeat_image_name }}",
image_version: "{{ elastic_filebeat_version }}",
user: root,
environment: [
"node.name: \"{{ filebeat_id }}\"",
],
volumes: [
'"./config/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro"',
'"/var/lib/docker/containers/:/var/lib/docker/containers/:ro"',
'"/var/run/docker.sock:/var/run/docker.sock:ro"',
'"/var/log/:/var/log/:ro"',
'"./certs:/usr/share/filebeat/config/certificates:ro"',
],
extra_hosts: "{{ filebeat_extra_hosts | default([]) }}",
},
],
}

4
roles/keycloak/tasks/main.yml
Unescape Escape View File

@ -28,7 +28,7 @@
- name: "Deploy docker templates for {{ inventory_hostname }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -40,7 +40,7 @@
- name: "Deploy service templates for {{ inventory_hostname }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "keycloak"

2
roles/keycloak_compact/tasks/main.yml
Unescape Escape View File

@ -25,7 +25,7 @@
- name: "Deploy docker templates for {{ keycloak_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "keycloak-compact"

6
roles/kibana/tasks/main.yaml
Unescape Escape View File

@ -31,7 +31,7 @@
- name: "Deploy docker templates for {{ kibana_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -45,7 +45,7 @@
- name: "Deploy service templates for {{ kibana_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "elastic"
@ -58,7 +58,7 @@
- name: "Deploy certificate templates for {{ kibana_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "elastic-certs/{{ stage }}-certs"

6
roles/logstash/tasks/main.yaml
Unescape Escape View File

@ -24,7 +24,7 @@
- name: "Deploy docker templates for {{ logstash_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -38,7 +38,7 @@
- name: "Deploy service templates for {{ logstash_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "logstash"
@ -51,7 +51,7 @@
- name: "Deploy certificate templates for {{ logstash_id }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "elastic-certs/{{ stage }}-certs"

3
roles/metricbeat/defaults/main.yaml
Unescape Escape View File

@ -1,3 +0,0 @@
---
metricbeat_image_name: "docker.elastic.co/beats/metricbeat"

75
roles/metricbeat/tasks/main.yaml
Unescape Escape View File

@ -1,75 +0,0 @@
---
### tags:
### update_certs
### update_config
### update_deployment
- name: "Check if metricbeat/docker-compose.yml exists"
stat:
path: '{{ service_base_path }}/metricbeat/docker-compose.yml'
register: check_docker_compose_file
tags:
- update_config
- update_deployment
- name: "Stop metricbeat"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/metricbeat'
state: absent
when: check_docker_compose_file.stat.exists
tags:
- update_config
- update_deployment
- name: "Deploy docker templates for metricbeat"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "_docker"
current_base_path: "{{ service_base_path }}"
current_destination: "metricbeat"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
current_docker: "{{ metricbeat_docker }}"
tags:
- update_config
- update_deployment
- name: "Deploy service templates for metricbeat"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "metricbeat"
current_base_path: "{{ service_base_path }}"
current_destination: "metricbeat"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
tags:
- update_config
- name: "Deploy certificate templates for metricbeat"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "elastic-certs/{{ stage }}-certs"
current_base_path: "{{ service_base_path }}"
current_destination: "metricbeat/certs"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
cleanup_destination: "true"
tags:
- update_certs
- update_config
- name: "Update metricbeat"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/metricbeat'
state: present
pull: yes
tags:
- update_config
- update_deployment

26
roles/metricbeat/vars/main.yml
Unescape Escape View File

@ -1,26 +0,0 @@
---
metricbeat_id: "{{ inventory_hostname }}-metricbeat"
metricbeat_docker: {
services: [
{
name: "{{ metricbeat_id }}",
image_name: "{{ metricbeat_image_name }}",
image_version: "{{ elastic_metricbeat_version }}",
user: root,
environment: [
"node.name: \"{{ metricbeat_id }}\"",
],
volumes: [
'"./config/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml:ro"',
'"/var/run/docker.sock:/var/run/docker.sock:ro"',
'"/sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro"',
'"/proc:/hostfs/proc:ro"',
'"/:/hostfs:ro"',
'"./certs:/usr/share/metricbeat/config/certificates:ro"',
],
extra_hosts: "{{ metricbeat_extra_hosts | default([]) }}",
},
],
}

128
roles/node_exporter/files/default_config
Unescape Escape View File

@ -1,128 +0,0 @@
# Set the command-line arguments to pass to the server.
# Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
ARGS="--web.listen-address='127.0.0.1:9082'"
# Prometheus-node-exporter supports the following options:
#
# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
# Regexp of devices to ignore for diskstats.
# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
# Regexp of mount points to ignore for filesystem
# collector.
# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
# Regexp of filesystem types to ignore for
# filesystem collector.
# --collector.netdev.ignored-devices="^lo$"
# Regexp of net devices to ignore for netdev
# collector.
# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
# Regexp of fields to return for netstat
# collector.
# --collector.ntp.server="127.0.0.1"
# NTP server to use for ntp collector
# --collector.ntp.protocol-version=4
# NTP protocol version
# --collector.ntp.server-is-local
# Certify that collector.ntp.server address is the
# same local host as this collector.
# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query
# --collector.ntp.max-distance=3.46608s
# Max accumulated distance to the root
# --collector.ntp.local-offset-tolerance=1ms
# Offset between local clock and local ntpd time
# to tolerate
# --path.procfs="/proc" procfs mountpoint.
# --path.sysfs="/sys" sysfs mountpoint.
# --collector.qdisc.fixtures=""
# test fixtures to use for qdisc collector
# end-to-end testing
# --collector.runit.servicedir="/etc/service"
# Path to runit service directory.
# --collector.supervisord.url="http://localhost:9001/RPC2"
# XML RPC endpoint.
# --collector.systemd.unit-whitelist=".+"
# Regexp of systemd units to whitelist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
# Regexp of systemd units to blacklist. Units must
# both match whitelist and not match blacklist to
# be included.
# --collector.systemd.private
# Establish a private, direct connection to
# systemd without dbus.
# --collector.textfile.directory="/var/lib/prometheus/node-exporter"
# Directory to read text files with metrics from.
# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
# Regexp of fields to return for vmstat collector.
# --collector.wifi.fixtures=""
# test fixtures to use for wifi collector metrics
# --collector.arp Enable the arp collector (default: enabled).
# --collector.bcache Enable the bcache collector (default: enabled).
# --collector.bonding Enable the bonding collector (default: enabled).
# --collector.buddyinfo Enable the buddyinfo collector (default:
# disabled).
# --collector.conntrack Enable the conntrack collector (default:
# enabled).
# --collector.cpu Enable the cpu collector (default: enabled).
# --collector.diskstats Enable the diskstats collector (default:
# enabled).
# --collector.drbd Enable the drbd collector (default: disabled).
# --collector.edac Enable the edac collector (default: enabled).
# --collector.entropy Enable the entropy collector (default: enabled).
# --collector.filefd Enable the filefd collector (default: enabled).
# --collector.filesystem Enable the filesystem collector (default:
# enabled).
# --collector.hwmon Enable the hwmon collector (default: enabled).
# --collector.infiniband Enable the infiniband collector (default:
# enabled).
# --collector.interrupts Enable the interrupts collector (default:
# disabled).
# --collector.ipvs Enable the ipvs collector (default: enabled).
# --collector.ksmd Enable the ksmd collector (default: disabled).
# --collector.loadavg Enable the loadavg collector (default: enabled).
# --collector.logind Enable the logind collector (default: disabled).
# --collector.mdadm Enable the mdadm collector (default: enabled).
# --collector.meminfo Enable the meminfo collector (default: enabled).
# --collector.meminfo_numa Enable the meminfo_numa collector (default:
# disabled).
# --collector.mountstats Enable the mountstats collector (default:
# disabled).
# --collector.netdev Enable the netdev collector (default: enabled).
# --collector.netstat Enable the netstat collector (default: enabled).
# --collector.nfs Enable the nfs collector (default: enabled).
# --collector.nfsd Enable the nfsd collector (default: enabled).
# --collector.ntp Enable the ntp collector (default: disabled).
# --collector.qdisc Enable the qdisc collector (default: disabled).
# --collector.runit Enable the runit collector (default: disabled).
# --collector.sockstat Enable the sockstat collector (default:
# enabled).
# --collector.stat Enable the stat collector (default: enabled).
# --collector.supervisord Enable the supervisord collector (default:
# disabled).
# --collector.systemd Enable the systemd collector (default: enabled).
# --collector.tcpstat Enable the tcpstat collector (default:
# disabled).
# --collector.textfile Enable the textfile collector (default:
# enabled).
# --collector.time Enable the time collector (default: enabled).
# --collector.uname Enable the uname collector (default: enabled).
# --collector.vmstat Enable the vmstat collector (default: enabled).
# --collector.wifi Enable the wifi collector (default: enabled).
# --collector.xfs Enable the xfs collector (default: enabled).
# --collector.zfs Enable the zfs collector (default: enabled).
# --collector.timex Enable the timex collector (default: enabled).
# --web.listen-address=":9100"
# Address on which to expose metrics and web
# interface.
# --web.telemetry-path="/metrics"
# Path under which to expose metrics.
# --log.level="info" Only log messages with the given severity or
# above. Valid levels: [debug, info, warn, error,
# fatal]
# --log.format="logger:stderr"
# Set the log target and format. Example:
# "logger:syslog?appname=bob&local=7" or
# "logger:stdout?json=true"

5
roles/node_exporter/handlers/main.yml
Unescape Escape View File

@ -1,5 +0,0 @@
---
- name: "restart node-exporter"
service:
name: prometheus-node-exporter.service
state: restarted

46
roles/node_exporter/tasks/main.yml
Unescape Escape View File

@ -1,46 +0,0 @@
---
### tags:
- name: "Ensure prometheus-node-exporter ist installed"
apt:
pkg:
- prometheus-node-exporter
- prometheus-node-exporter-collectors
tags:
- node_exporter
- name: "checking for default config"
stat:
path: /etc/default/prometheus-node-exporter
register: default_config
tags:
- node_exporter
- name: "providing default config"
copy:
src: default_config
dest: /etc/default/prometheus-node-exporter
owner: root
group: root
mode: '0644'
when:
- not default_config.stat.exists
tags:
- node_exporter
- name: "Setup prometheus-node-exporter interface bind"
lineinfile:
path: /etc/default/prometheus-node-exporter
regex: "^ARGS="
line: "ARGS=\"--web.listen-address='{{ node_exporter_listen_address }}:{{ monitor_port_system }}'\""
notify: restart node-exporter
tags:
- node_exporter
- name: "Ensure prometheus-node-exporter is running"
service:
name: prometheus-node-exporter
state: started
tags:
- node_exporter

4
roles/pgadmin4/tasks/main.yml
Unescape Escape View File

@ -29,7 +29,7 @@
- name: "Deploy docker templates for {{ inventory_hostname }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -43,7 +43,7 @@
- name: "Deploy service templates for {{ inventory_hostname }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "pgadmin4"

2
roles/prometheus/tasks/_update_config.yml
Unescape Escape View File

@ -5,7 +5,7 @@
- name: "Deploy service templates for {{ inventory_hostname }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "prometheus"

2
roles/prometheus/tasks/main.yml
Unescape Escape View File

@ -44,7 +44,7 @@
- name: "Deploy docker templates for {{ inventory_hostname }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"

4
roles/shared_service/tasks/main.yml
Unescape Escape View File

@ -46,7 +46,7 @@
- name: "Deploying docker templates for <{{ current_service_id }}>"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -58,7 +58,7 @@
- name: "Deploying service templates for <{{ current_service_id }}>"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "{{ current_service }}"

1
roles/sma_deploy/defaults/main.yml
Unescape Escape View File

@ -1 +0,0 @@
---

27
roles/sma_deploy/tasks/htpasswd.yml
Unescape Escape View File

@ -1,27 +0,0 @@
---
- name: "Create empty htpswd file"
ansible.builtin.file:
path: "{{ htpasswd_file_path }}"
state: touch
mode: '0600'
- name: "Add a user and password to empty htpswd file>"
community.general.htpasswd:
path: "{{ htpasswd_file_path }}"
name: "{{ basic_auth_username }}"
password: "{{ basic_auth_password }}"
mode: '0600'
- name: "Read credentials out of htpasswd file"
ansible.builtin.slurp:
src: "{{ htpasswd_file_path }}"
register: "credentials"
- name: "Delete htpasswd file"
ansible.builtin.file:
path: "{{ htpasswd_file_path }}"
state: absent
- name: "Setting htpasswd to <{{ credentials_name }}>" ## noqa var-naming
ansible.builtin.set_fact: "{{ credentials_name }}={{ credentials.content | b64decode | trim | replace('$','$$') }}"

68
roles/sma_deploy/tasks/templates.yml
Unescape Escape View File

@ -1,68 +0,0 @@
---
### tags:
### update_certs
### update_config
### update_deployment
- name: 'Delete {{ current_base_path }}/{{ current_destination }}'
file:
state: absent
path: "{{ current_base_path }}/{{ current_destination }}"
when: cleanup_destination is defined and cleanup_destination == "true"
tags:
- update_certs
- update_config
- update_deployment
- name: 'Ensures {{ current_base_path }}/{{ current_destination }} directory exists'
file:
state: directory
path: '{{ current_base_path }}/{{ current_destination }}'
mode: '0755'
tags:
- update_certs
- update_config
- update_deployment
- name: 'Ensure directory structure for {{ current_config }} exists'
file:
path: "{{ current_base_path }}/{{ current_destination }}/{{ item.path }}"
state: directory
owner: "{{ current_owner }}"
group: "{{ current_group }}"
mode: 0755
with_filetree: "templates/{{ current_config }}"
when: item.state == "directory"
tags:
- update_certs
- update_config
- update_deployment
- name: Ensure config template files are populated from templates/{{ current_config }}
template:
src: "{{ item.src }}"
dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path | regex_replace('\\.j2$', '') }}"
owner: "{{ current_owner }}"
group: "{{ current_group }}"
mode: 0644
with_filetree: "templates/{{ current_config }}"
when: item.state == 'file' and item.src is match('.*\.j2$')
tags:
- update_certs
- update_config
- update_deployment
- name: Ensure config files are populated from from templates/{{ current_config }}
copy:
src: "{{ item.src }}"
dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path }}"
owner: "{{ current_owner }}"
group: "{{ current_group }}"
mode: 0644
with_filetree: "templates/{{ current_config }}"
when: item.state == 'file' and item.src is not match('.*\.j2$')
tags:
- update_certs
- update_config
- update_deployment

1
roles/sma_deploy/vars/main.yml
Unescape Escape View File

@ -1 +0,0 @@
---

4
roles/traefik/defaults/main.yml
Unescape Escape View File

@ -1,4 +0,0 @@
---
traefik_image_name: "traefik"
traefik_dns_01_challenge: true

54
roles/traefik/tasks/main.yml
Unescape Escape View File

@ -1,54 +0,0 @@
---
### tags:
- name: "Check if traefik/docker-compose.yml exists"
stat:
path: '{{ service_base_path }}/traefik/docker-compose.yml'
register: check_docker_compose_file
- name: "Stop traefik"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/traefik'
state: absent
when: check_docker_compose_file.stat.exists
- name: "Deploy docker templates for traefik"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "_docker"
current_base_path: "{{ service_base_path }}"
current_destination: "traefik"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
current_docker: "{{ traefik_docker }}"
- name: "Deploy service templates for traefik"
include_role:
name: sma_deploy
tasks_from: templates
vars:
current_config: "traefik"
current_base_path: "{{ service_base_path }}"
current_destination: "traefik"
current_owner: "{{ docker_owner }}"
current_group: "{{ docker_group }}"
- name: "Ensure acme.json exists"
copy:
content: ""
dest: '{{ service_base_path }}/traefik/acme.json'
force: no
owner: "{{ docker_owner }}"
group: "{{ docker_group }}"
mode: '0600'
- name: "Update traefik"
community.docker.docker_compose:
project_src: '{{ service_base_path }}/traefik'
state: present
pull: yes
tags:
- update_deployment

76
roles/traefik/vars/main.yml
Unescape Escape View File

@ -1,76 +0,0 @@
---
traefik_id: "{{ inventory_hostname }}-traefik"
traefik_environment_digitalocean: [
'DO_AUTH_TOKEN: "{% if traefik_dns_01_challenge %}{{ digitalocean_authentication_token }}{% else %}{% endif %}"',
]
traefik_environment_hetzner: [
'HETZNER_API_KEY: "{% if traefik_dns_01_challenge %}{{ hetzner_dns_api_key }}{% else %}{% endif %}"',
]
traefik_environment_dns: "{{ traefik_environment_digitalocean if dns == 'digitalocean' else traefik_environment_hetzner if dns == 'hetzner' else [] }}"
traefik_docker: {
networks: [
{
name: front-tier,
external: 'true',
},
],
services: [
{
name: "{{ traefik_id }}",
image_name: "{{ traefik_image_name }}",
image_version: "{{ traefik_version }}",
environment: "{{ traefik_environment_dns }}",
volumes: [
'"./acme.json:/acme.json"',
'"./traefik.toml:/traefik.toml:ro"',
'"./traefik_dynamic.toml:/traefik_dynamic.toml:ro"',
'"/var/run/docker.sock:/var/run/docker.sock:ro"',
'"./config/static_files:/var/www/static_files:ro"',
],
networks: [
'"front-tier"'
],
ports: [
{
external: "0.0.0.0:{{ http_port }}",
internal: "{{ http_port }}"
},
{
external: "0.0.0.0:{{ https_port }}",
internal: "{{ https_port }}"
},
{
external: "0.0.0.0:{{ service_port_git }}",
internal: "{{ service_port_git }}"
},
{
external: "0.0.0.0:{{ service_port_pgadmin }}",
internal: "{{ service_port_pgadmin }}"
},
{
external: "0.0.0.0:{{ service_port_phpmyadmin }}",
internal: "{{ service_port_phpmyadmin }}"
},
{
external: "0.0.0.0:{{ admin_port_traefik }}",
internal: "{{ admin_port_traefik }}"
},
{
external: "0.0.0.0:{{ admin_port_service }}",
internal: "{{ admin_port_service }}"
},
{
external: "0.0.0.0:{{ monitor_port_docker }}",
internal: "{{ monitor_port_docker }}"
},
{
external: "0.0.0.0:{{ monitor_port_harbor }}",
internal: "{{ monitor_port_harbor }}"
},
],
}
]
}

4
roles/webdav/tasks/main.yaml
Unescape Escape View File

@ -15,7 +15,7 @@
- name: "Deploy docker templates for {{ inventory_hostname }}"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "_docker"
@ -27,7 +27,7 @@
- name: "Deploy service templates for webdav"
include_role:
name: sma_deploy
name: hetzner-ansible-sma-deploy
tasks_from: templates
vars:
current_config: "webdav"

14
setup.yml
Unescape Escape View File

@ -48,31 +48,35 @@
when:
- docker_enabled
- role: common
- role: hetzner-ansible-common
tags:
- common
- role: devsec.hardening.ssh_hardening
tags:
- ssh_hardening
- role: node_exporter
- role: hetzner-ansible-node-exporter
when:
- node_exporter_enabled
tags:
- node-exporter
- role: filebeat
- role: hetzner-ansible-filebeat
when:
- docker_enabled
- filebeat_enabled
tags:
- filebeat
- role: metricbeat
- role: hetzner-ansible-metricbeat
when:
- docker_enabled
- metricbeat_enabled
tags:
- metricbeat
- role: traefik
- role: hetzner-ansible-traefik
when:
- docker_enabled
- traefik_enabled

3
stage-dev
Unescape Escape View File

@ -59,9 +59,6 @@ dev-devops-iaas-01
[webdav]
#dev-webdav-01
[test]
dev-test-roles-01
[kube_control_plane]
devnso-kube-cpl-01
devnso-kube-cpl-02

Write Preview
Loading…
Cancel
Save