From f2dae18111e8582b95ac1d151936188d8b05e73a Mon Sep 17 00:00:00 2001 From: Hoan To Date: Mon, 8 May 2023 06:26:22 +0000 Subject: [PATCH] DEV-999: alle rollen innerhalb von setup ausgelagert --- create-server.yml | 12 +- galaxy-requirements.yml | 30 ++- gitlab.clone.roles.sh | 4 +- kubespray | 2 +- restore-remote-database-backup.yml | 10 +- roles/common/configs/docker/config.json.j2 | 7 - roles/common/configs/docker/daemon.json.j2 | 8 - roles/common/defaults/main.yml | 1 - roles/common/handlers/main.yml | 15 -- roles/common/tasks/main.yml | 296 --------------------- roles/common/templates/resolv.conf.j2 | 1 - roles/connect/tasks/main.yml | 6 +- roles/connect_compact/tasks/main.yml | 2 +- roles/connect_wordpress/tasks/main.yml | 4 +- roles/elastic/tasks/main.yaml | 6 +- roles/filebeat/defaults/main.yaml | 3 - roles/filebeat/tasks/main.yaml | 75 ------ roles/filebeat/vars/main.yml | 25 -- roles/keycloak/tasks/main.yml | 4 +- roles/keycloak_compact/tasks/main.yml | 2 +- roles/kibana/tasks/main.yaml | 6 +- roles/logstash/tasks/main.yaml | 6 +- roles/metricbeat/defaults/main.yaml | 3 - roles/metricbeat/tasks/main.yaml | 75 ------ roles/metricbeat/vars/main.yml | 26 -- roles/node_exporter/files/default_config | 128 --------- roles/node_exporter/handlers/main.yml | 5 - roles/node_exporter/tasks/main.yml | 46 ---- roles/pgadmin4/tasks/main.yml | 4 +- roles/prometheus/tasks/_update_config.yml | 2 +- roles/prometheus/tasks/main.yml | 2 +- roles/shared_service/tasks/main.yml | 4 +- roles/sma_deploy/defaults/main.yml | 1 - roles/sma_deploy/tasks/htpasswd.yml | 27 -- roles/sma_deploy/tasks/templates.yml | 68 ----- roles/sma_deploy/vars/main.yml | 1 - roles/traefik/defaults/main.yml | 4 - roles/traefik/tasks/main.yml | 54 ---- roles/traefik/vars/main.yml | 76 ------ roles/webdav/tasks/main.yaml | 4 +- setup.yml | 14 +- stage-dev | 3 - 42 files changed, 81 insertions(+), 991 deletions(-) delete mode 100644 roles/common/configs/docker/config.json.j2 delete mode 100644 roles/common/configs/docker/daemon.json.j2 delete mode 100644 roles/common/defaults/main.yml delete mode 100644 roles/common/handlers/main.yml delete mode 100644 roles/common/tasks/main.yml delete mode 100644 roles/common/templates/resolv.conf.j2 delete mode 100644 roles/filebeat/defaults/main.yaml delete mode 100644 roles/filebeat/tasks/main.yaml delete mode 100644 roles/filebeat/vars/main.yml delete mode 100644 roles/metricbeat/defaults/main.yaml delete mode 100644 roles/metricbeat/tasks/main.yaml delete mode 100644 roles/metricbeat/vars/main.yml delete mode 100644 roles/node_exporter/files/default_config delete mode 100644 roles/node_exporter/handlers/main.yml delete mode 100644 roles/node_exporter/tasks/main.yml delete mode 100644 roles/sma_deploy/defaults/main.yml delete mode 100644 roles/sma_deploy/tasks/htpasswd.yml delete mode 100644 roles/sma_deploy/tasks/templates.yml delete mode 100644 roles/sma_deploy/vars/main.yml delete mode 100644 roles/traefik/defaults/main.yml delete mode 100644 roles/traefik/tasks/main.yml delete mode 100644 roles/traefik/vars/main.yml diff --git a/create-server.yml b/create-server.yml index 947b834..b829d5f 100644 --- a/create-server.yml +++ b/create-server.yml @@ -134,15 +134,19 @@ when: - docker_enabled - - role: common + - role: hetzner-ansible-common + + - role: devsec.hardening.ssh_hardening + tags: + - ssh_hardening - - role: filebeat + - role: hetzner-ansible-filebeat when: filebeat_enabled | default(True) - - role: node_exporter + - role: hetzner-ansible-node-exporter when: node_exporter_enabled | default(True) - - role: traefik + - role: hetzner-ansible-traefik when: traefik_enabled | default(True) ############################################################# diff --git a/galaxy-requirements.yml b/galaxy-requirements.yml index b6009b5..44293e9 100644 --- a/galaxy-requirements.yml +++ b/galaxy-requirements.yml @@ -3,19 +3,45 @@ roles: - name: geerlingguy.docker version: 6.0.3 - name: cloudalchemy.blackbox-exporter - version: 1.0.0 src: https://github.com/cloudalchemy/ansible-blackbox-exporter scm: git + version: 1.0.0 - name: postfix - version: v3.6.2 src: https://github.com/Oefenweb/ansible-postfix.git scm: git + version: v3.6.2 - name: hetzner-ansible-dns src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-dns-role.git scm: git + version: 0.0.5 - name: hetzner-ansible-hcloud src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-hcloud-role.git scm: git + version: 0.0.2 +- name: hetzner-ansible-common + src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-common-role.git + scm: git + version: 0.0.3 +- name: hetzner-ansible-filebeat + src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-filebeat-role.git + scm: git + version: 0.0.4 +- name: hetzner-ansible-metricbeat + src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-metricbeat-role.git + scm: git + version: 0.0.3 +- name: hetzner-ansible-node-exporter + src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-node-exporter-role.git + scm: git + version: 0.0.3 +- name: hetzner-ansible-traefik + src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-traefik-role.git + scm: git + version: 0.0.3 +- name: hetzner-ansible-sma-deploy + src: git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-sma-deploy-role.git + scm: git + version: 0.0.3 collections: diff --git a/gitlab.clone.roles.sh b/gitlab.clone.roles.sh index 0d1013e..dc0fed9 100755 --- a/gitlab.clone.roles.sh +++ b/gitlab.clone.roles.sh @@ -5,6 +5,6 @@ git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzn git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-filebeat-role.git ../hetzner-ansible-filebeat-role git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-hcloud-role.git ../hetzner-ansible-hcloud-role git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-metricbeat-role.git ../hetzner-ansible-metricbeat-role -git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-node_exporter-role.git ../hetzner-ansible-node_exporter-role. -git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-sma_deploy-role.git ../hetzner-ansible-sma_deploy-role +git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-node-exporter-role.git ../hetzner-ansible-node-exporter-role. +git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-sma-deploy-role.git ../hetzner-ansible-sma-deploy-role git clone git@git.dev-at.de:smardigo-hetzner/ansible/hetzner-ansible-roles/hetzner-ansible-traefik-role.git ../hetzner-ansible-traefik-role diff --git a/kubespray b/kubespray index 0634be4..00550ba 160000 --- a/kubespray +++ b/kubespray @@ -1 +1 @@ -Subproject commit 0634be4c8819cbb78afd6e53fc99cb001edba8c0 +Subproject commit 00550ba832aa5d4f59bce03ead09d9e940e3a672 diff --git a/restore-remote-database-backup.yml b/restore-remote-database-backup.yml index 979ceed..0b3463b 100644 --- a/restore-remote-database-backup.yml +++ b/restore-remote-database-backup.yml @@ -95,12 +95,16 @@ - always roles: - - role: common + - role: hetzner-ansible-common - - role: filebeat + - role: devsec.hardening.ssh_hardening + tags: + - ssh_hardening + + - role: hetzner-ansible-filebeat when: filebeat_enabled | default(True) - - role: node_exporter + - role: hetzner-ansible-node-exporter when: node_exporter_enabled | default(True) - role: restore_{{ database_engine }} diff --git a/roles/common/configs/docker/config.json.j2 b/roles/common/configs/docker/config.json.j2 deleted file mode 100644 index c38fb65..0000000 --- a/roles/common/configs/docker/config.json.j2 +++ /dev/null @@ -1,7 +0,0 @@ -{ - "auths": { - "{{ shared_service_hostname_harbor }}": { - "auth": "{{ [harbor_username, harbor_token] | join(":") | string | b64encode }}" - } - } -} \ No newline at end of file diff --git a/roles/common/configs/docker/daemon.json.j2 b/roles/common/configs/docker/daemon.json.j2 deleted file mode 100644 index 8286c33..0000000 --- a/roles/common/configs/docker/daemon.json.j2 +++ /dev/null @@ -1,8 +0,0 @@ -{ - "log-driver": "json-file", - "log-opts": { - "max-size": "1m", - "max-file": "5", - "compress": "true" - } -} \ No newline at end of file diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/common/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml deleted file mode 100644 index 0faf08a..0000000 --- a/roles/common/handlers/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: restart ntp - service: - name=ntpd - state=restarted - -- name: restart ssh - service: - name=sshd - state=restarted - -- name: "Regenerate grub config" - become: yes - command: "/usr/sbin/update-grub" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml deleted file mode 100644 index 455bf63..0000000 --- a/roles/common/tasks/main.yml +++ /dev/null @@ -1,296 +0,0 @@ ---- - -### tags: -### users -### install -### upgrade -### config -### update_etc_hosts -### root_authorized_keys - -- name: "Set hostname to <{{ inventory_hostname }}>" - hostname: - name: "{{ inventory_hostname }}" - -- name: "Setting hosts configuration in /etc/hosts" - blockinfile: - marker: "# {mark} managed by ansible (hosts config for {{ inventory_hostname }})" - path: "/etc/hosts" - mode: '0644' - state: present - create: yes - block: | - {{ '127.0.1.1 ' + inventory_hostname }} - {{ '# shared services without domain (only internal available)' }} - {% for server_info in stage_server_infos | default([]) | sort(attribute='name') %} - {% if - server_info.service in ['elastic','logstash','maria','postgres'] - %} - {{ server_info.private_ip + ' ' + server_info.name }} - {% endif %} - {% endfor %} - {{ '# shared services with domain (maybe external available)' }} - {% for server_info in stage_server_infos | default([]) | sort(attribute='name') %} - {% if - server_info.service in ['harbor','gitea','postfix','keycloak','iam'] - or server_info.name == shared_service_host_management | default([]) - %} - {{ server_info.private_ip + ' ' + server_info.name + '.' + domain_env }} - {% endif %} - {% endfor %} - {{ '# additional services behind kube loadbalancer (maybe available)' }} - {% for host in shared_service_additional_hosts|default([]) %} - {% if shared_service_kube_loadbalancer_ip_not_available == host.ip %} - {{ '# loadbalancer private ip not available for ' + stage + ':' + host.name + ' (use dynamic inventory)'}} - {% else %} - {{ host.ip + ' ' + host.name }} - {% endif %} - {% endfor %} - when: - - "'hcloud' in group_names" - tags: - - update_etc_hosts - -- name: "Adding authorized keys for root" - ansible.posix.authorized_key: - user: root - state: present - key: "{{ lookup('file', 'users/' + item + '/ssh.pub') }}" - loop: '{{ smardigo_plattform_users }}' - tags: - - users - - root_authorized_keys - -# ansible-lint related hint -# https://github.com/ansible-community/ansible-lint/issues/1621 -# => issue whitelisted -- name: "Removing outdated authorized keys for root" # noqa deprecated-bare-vars - ansible.posix.authorized_key: - user: root - state: absent - key: "{{ lookup('file', 'users/outdated/' + item.path) }}" - with_community.general.filetree: users/outdated/ - tags: - - users - - root_authorized_keys - -- name: "Read current users" # noqa risky-shell-pipe - shell: "getent passwd | awk -F: '$3 > 999 {print $1}'" - register: current_users - changed_when: false - tags: - - users - -- name: "Remove outdated users" - user: name={{ item }} state=absent remove=yes - with_items: "{{ current_users.stdout_lines }}" - when: not ((item in default_users) or (item in smardigo_plattform_users)) - tags: - - users - -- name: "Create users" - ansible.builtin.user: - name: '{{ item }}' - groups: '{{ sudo_group }}' - shell: '/bin/bash' - state: present - append: yes - loop: '{{ smardigo_plattform_users }}' - loop_control: - index_var: index - tags: - - users - -- name: "Enable passwordless sudo" - ansible.builtin.lineinfile: - path: /etc/sudoers - state: present - regexp: '^%sudo' - line: '%sudo ALL=(ALL) NOPASSWD: ALL' - validate: 'visudo -cf %s' - tags: - - users - -# TODO check usage of key_options "no-agent-forwarding, no-agent-forwarding, no-X11-forwarding" -- name: "Set up authorized users" - ansible.posix.authorized_key: - user: '{{ item }}' - state: present - exclusive: true - key: "{{ lookup('file', '{{ playbook_dir }}/users/{{ item }}/ssh.pub') }}" - loop: '{{ smardigo_plattform_users | difference(["elastic"]) }}' - tags: - - users - -- name: "Update available package list" - apt: - update_cache: yes - tags: - - install - - upgrade - when: ansible_distribution == "Ubuntu" - -- name: "Create crontab entry to remove unused docker objects if necessary" - ansible.builtin.cron: - name: "remove unused docker objects" - minute: "0" - hour: "1" - job: "docker system prune -af --filter label!=prune=disable" - state: "{{ 'present' if docker_enabled else 'absent' }}" - -- name: "Ensure docker configuration directory exists" - file: - path: '/home/{{ item }}/.docker/' - state: directory - owner: '{{ item }}' - group: '{{ item }}' - mode: '0755' - loop: '{{ smardigo_plattform_users }}' - when: docker_enabled - tags: - - users - - config - -- name: "Insert/Update docker configuration" - template: - src: 'configs/docker/config.json.j2' - dest: '/home/{{ item }}/.docker/config.json' - owner: '{{ item }}' - group: '{{ item }}' - mode: 0600 - loop: '{{ smardigo_plattform_users }}' - when: - - docker_enabled - - docker_config_enabled - tags: - - users - - config - -- name: "Install apt-dependencies for {{ inventory_hostname }}" - apt: - name: "{{ item }}" - state: 'present' - loop: "{{ common_apt_dependencies + additional_apt_dependencies | default([]) }}" - when: ansible_distribution == "Ubuntu" - tags: - - install - -- name: "Install python3-pip dependencies for {{ inventory_hostname }}" - pip: - name: "{{ item }}" - state: present - become: True - loop: "{{ common_pip_dependencies + additional_pip_dependencies | default([]) }}" - tags: - - install - -- name: 'Ensures directory exists' - file: - state: directory - path: '/etc/bash_completion.d' - mode: '0755' - tags: - - install - -- name: "Download docker bash completion" - ansible.builtin.get_url: - url: https://raw.githubusercontent.com/docker/cli/v20.10.6/contrib/completion/bash/docker - dest: /etc/bash_completion.d/docker - mode: '644' - when: docker_enabled - tags: - - install - -- name: "Ensure docker configuration directory exists" - file: - path: '/root/.docker/' - state: directory - owner: 'root' - group: 'root' - mode: '0755' - when: docker_enabled - tags: - - config - -- name: "Insert/Update docker configuration" - template: - src: 'configs/docker/config.json.j2' - dest: '/root/.docker/config.json' - owner: 'root' - group: 'root' - mode: 0600 - when: - - docker_enabled - - docker_config_enabled - tags: - - config - -- name: "Ensure docker daemon configuration directory exists" - file: - path: '/etc/docker' - state: directory - owner: 'root' - group: 'root' - mode: '0755' - when: docker_enabled - tags: - - config - -- name: "Remove docker daemon configuration when docker_enabled=false" - file: - state: absent - path: '/etc/docker/daemon.json' - when: not docker_enabled - tags: - - config - -- name: "Insert/Update docker daemon configuration" - template: - src: 'configs/docker/daemon.json.j2' - dest: '/etc/docker/daemon.json' - owner: 'root' - group: 'root' - mode: 0600 - when: docker_enabled - tags: - - config - -- name: "Create Docker network" - community.docker.docker_network: - name: "{{ item }}" - labels: - prune: disable - when: docker_enabled - loop: - - front-tier - - back-tier - -# elasticsearch production mode requirements -- name: "Set vm.max_map_count" - sysctl: - name: vm.max_map_count - value: '262144' - sysctl_set: yes - state: present - tags: - - config - -# elasticsearch production mode requirements -- name: "Set fs.file-max" - sysctl: - name: fs.file-max - value: '65536' - sysctl_set: yes - state: present - tags: - - config - -- name: "configure ssh_hardening" - include_role: - # include role from collection called 'devsec' - name: devsec.hardening.ssh_hardening - apply: - tags: - - ssh_hardening - tags: - - ssh_hardening diff --git a/roles/common/templates/resolv.conf.j2 b/roles/common/templates/resolv.conf.j2 deleted file mode 100644 index cae093a..0000000 --- a/roles/common/templates/resolv.conf.j2 +++ /dev/null @@ -1 +0,0 @@ -nameserver 8.8.8.8 diff --git a/roles/connect/tasks/main.yml b/roles/connect/tasks/main.yml index 1b408b8..30915e4 100644 --- a/roles/connect/tasks/main.yml +++ b/roles/connect/tasks/main.yml @@ -48,7 +48,7 @@ - name: "Deploy docker templates for {{ connect_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -60,7 +60,7 @@ - name: "Deploy service templates for {{ connect_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "connect" @@ -71,7 +71,7 @@ - name: "Deploy certificate templates for {{ connect_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "elastic-certs/{{ stage }}-certs/ca" diff --git a/roles/connect_compact/tasks/main.yml b/roles/connect_compact/tasks/main.yml index a5653cc..38b5146 100644 --- a/roles/connect_compact/tasks/main.yml +++ b/roles/connect_compact/tasks/main.yml @@ -39,7 +39,7 @@ - name: "Deploy docker templates for {{ connect_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "connect-compact" diff --git a/roles/connect_wordpress/tasks/main.yml b/roles/connect_wordpress/tasks/main.yml index b9df6c3..257d976 100644 --- a/roles/connect_wordpress/tasks/main.yml +++ b/roles/connect_wordpress/tasks/main.yml @@ -43,7 +43,7 @@ - name: "Deploy docker templates for {{ wordpress_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -55,7 +55,7 @@ - name: "Deploy service templates for {{ wordpress_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "wordpress" diff --git a/roles/elastic/tasks/main.yaml b/roles/elastic/tasks/main.yaml index adeee89..49a0e67 100644 --- a/roles/elastic/tasks/main.yaml +++ b/roles/elastic/tasks/main.yaml @@ -24,7 +24,7 @@ - name: "Deploy docker templates for {{ elastic_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -38,7 +38,7 @@ - name: "Deploy service templates for {{ elastic_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "elastic" @@ -51,7 +51,7 @@ - name: "Deploy certificate templates for {{ elastic_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "elastic-certs/{{ stage }}-certs" diff --git a/roles/filebeat/defaults/main.yaml b/roles/filebeat/defaults/main.yaml deleted file mode 100644 index 652ba68..0000000 --- a/roles/filebeat/defaults/main.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -filebeat_image_name: "docker.elastic.co/beats/filebeat" diff --git a/roles/filebeat/tasks/main.yaml b/roles/filebeat/tasks/main.yaml deleted file mode 100644 index 5bbe5c0..0000000 --- a/roles/filebeat/tasks/main.yaml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -### tags: -### update_certs -### update_config -### update_deployment - -- name: "Check if filebeat/docker-compose.yml exists" - stat: - path: '{{ service_base_path }}/filebeat/docker-compose.yml' - register: check_docker_compose_file - tags: - - update_config - - update_deployment - -- name: "Stop filebeat" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/filebeat' - state: absent - when: check_docker_compose_file.stat.exists - tags: - - update_config - - update_deployment - -- name: "Deploy docker templates for filebeat" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "_docker" - current_base_path: "{{ service_base_path }}" - current_destination: "filebeat" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - current_docker: "{{ filebeat_docker }}" - tags: - - update_config - - update_deployment - -- name: "Deploy service templates for filebeat" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "filebeat" - current_base_path: "{{ service_base_path }}" - current_destination: "filebeat" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - tags: - - update_config - -- name: "Deploy certificate templates for filebeat" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "elastic-certs/{{ stage }}-certs" - current_base_path: "{{ service_base_path }}" - current_destination: "filebeat/certs" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - cleanup_destination: "true" - tags: - - update_certs - - update_config - -- name: "Update filebeat" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/filebeat' - state: present - pull: yes - tags: - - update_config - - update_deployment diff --git a/roles/filebeat/vars/main.yml b/roles/filebeat/vars/main.yml deleted file mode 100644 index 0fe74fe..0000000 --- a/roles/filebeat/vars/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -filebeat_id: "{{ inventory_hostname }}-filebeat" - -filebeat_docker: { - services: [ - { - name: "{{ filebeat_id }}", - image_name: "{{ filebeat_image_name }}", - image_version: "{{ elastic_filebeat_version }}", - user: root, - environment: [ - "node.name: \"{{ filebeat_id }}\"", - ], - volumes: [ - '"./config/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro"', - '"/var/lib/docker/containers/:/var/lib/docker/containers/:ro"', - '"/var/run/docker.sock:/var/run/docker.sock:ro"', - '"/var/log/:/var/log/:ro"', - '"./certs:/usr/share/filebeat/config/certificates:ro"', - ], - extra_hosts: "{{ filebeat_extra_hosts | default([]) }}", - }, - ], -} diff --git a/roles/keycloak/tasks/main.yml b/roles/keycloak/tasks/main.yml index 885031e..6f7a881 100644 --- a/roles/keycloak/tasks/main.yml +++ b/roles/keycloak/tasks/main.yml @@ -28,7 +28,7 @@ - name: "Deploy docker templates for {{ inventory_hostname }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -40,7 +40,7 @@ - name: "Deploy service templates for {{ inventory_hostname }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "keycloak" diff --git a/roles/keycloak_compact/tasks/main.yml b/roles/keycloak_compact/tasks/main.yml index 0641213..ef0bedd 100644 --- a/roles/keycloak_compact/tasks/main.yml +++ b/roles/keycloak_compact/tasks/main.yml @@ -25,7 +25,7 @@ - name: "Deploy docker templates for {{ keycloak_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "keycloak-compact" diff --git a/roles/kibana/tasks/main.yaml b/roles/kibana/tasks/main.yaml index 3d3f716..99b115a 100644 --- a/roles/kibana/tasks/main.yaml +++ b/roles/kibana/tasks/main.yaml @@ -31,7 +31,7 @@ - name: "Deploy docker templates for {{ kibana_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -45,7 +45,7 @@ - name: "Deploy service templates for {{ kibana_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "elastic" @@ -58,7 +58,7 @@ - name: "Deploy certificate templates for {{ kibana_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "elastic-certs/{{ stage }}-certs" diff --git a/roles/logstash/tasks/main.yaml b/roles/logstash/tasks/main.yaml index 14808a1..486a9df 100644 --- a/roles/logstash/tasks/main.yaml +++ b/roles/logstash/tasks/main.yaml @@ -24,7 +24,7 @@ - name: "Deploy docker templates for {{ logstash_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -38,7 +38,7 @@ - name: "Deploy service templates for {{ logstash_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "logstash" @@ -51,7 +51,7 @@ - name: "Deploy certificate templates for {{ logstash_id }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "elastic-certs/{{ stage }}-certs" diff --git a/roles/metricbeat/defaults/main.yaml b/roles/metricbeat/defaults/main.yaml deleted file mode 100644 index 88543e4..0000000 --- a/roles/metricbeat/defaults/main.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -metricbeat_image_name: "docker.elastic.co/beats/metricbeat" diff --git a/roles/metricbeat/tasks/main.yaml b/roles/metricbeat/tasks/main.yaml deleted file mode 100644 index 6b47203..0000000 --- a/roles/metricbeat/tasks/main.yaml +++ /dev/null @@ -1,75 +0,0 @@ ---- - -### tags: -### update_certs -### update_config -### update_deployment - -- name: "Check if metricbeat/docker-compose.yml exists" - stat: - path: '{{ service_base_path }}/metricbeat/docker-compose.yml' - register: check_docker_compose_file - tags: - - update_config - - update_deployment - -- name: "Stop metricbeat" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/metricbeat' - state: absent - when: check_docker_compose_file.stat.exists - tags: - - update_config - - update_deployment - -- name: "Deploy docker templates for metricbeat" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "_docker" - current_base_path: "{{ service_base_path }}" - current_destination: "metricbeat" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - current_docker: "{{ metricbeat_docker }}" - tags: - - update_config - - update_deployment - -- name: "Deploy service templates for metricbeat" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "metricbeat" - current_base_path: "{{ service_base_path }}" - current_destination: "metricbeat" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - tags: - - update_config - -- name: "Deploy certificate templates for metricbeat" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "elastic-certs/{{ stage }}-certs" - current_base_path: "{{ service_base_path }}" - current_destination: "metricbeat/certs" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - cleanup_destination: "true" - tags: - - update_certs - - update_config - -- name: "Update metricbeat" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/metricbeat' - state: present - pull: yes - tags: - - update_config - - update_deployment diff --git a/roles/metricbeat/vars/main.yml b/roles/metricbeat/vars/main.yml deleted file mode 100644 index 528bd98..0000000 --- a/roles/metricbeat/vars/main.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -metricbeat_id: "{{ inventory_hostname }}-metricbeat" - -metricbeat_docker: { - services: [ - { - name: "{{ metricbeat_id }}", - image_name: "{{ metricbeat_image_name }}", - image_version: "{{ elastic_metricbeat_version }}", - user: root, - environment: [ - "node.name: \"{{ metricbeat_id }}\"", - ], - volumes: [ - '"./config/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml:ro"', - '"/var/run/docker.sock:/var/run/docker.sock:ro"', - '"/sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro"', - '"/proc:/hostfs/proc:ro"', - '"/:/hostfs:ro"', - '"./certs:/usr/share/metricbeat/config/certificates:ro"', - ], - extra_hosts: "{{ metricbeat_extra_hosts | default([]) }}", - }, - ], -} diff --git a/roles/node_exporter/files/default_config b/roles/node_exporter/files/default_config deleted file mode 100644 index 99456ce..0000000 --- a/roles/node_exporter/files/default_config +++ /dev/null @@ -1,128 +0,0 @@ -# Set the command-line arguments to pass to the server. -# Due to shell scaping, to pass backslashes for regexes, you need to double -# them (\\d for \d). If running under systemd, you need to double them again -# (\\\\d to mean \d), and escape newlines too. -ARGS="--web.listen-address='127.0.0.1:9082'" - -# Prometheus-node-exporter supports the following options: -# -# --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$" -# Regexp of devices to ignore for diskstats. -# --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)" -# Regexp of mount points to ignore for filesystem -# collector. -# --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$" -# Regexp of filesystem types to ignore for -# filesystem collector. -# --collector.netdev.ignored-devices="^lo$" -# Regexp of net devices to ignore for netdev -# collector. -# --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$" -# Regexp of fields to return for netstat -# collector. -# --collector.ntp.server="127.0.0.1" -# NTP server to use for ntp collector -# --collector.ntp.protocol-version=4 -# NTP protocol version -# --collector.ntp.server-is-local -# Certify that collector.ntp.server address is the -# same local host as this collector. -# --collector.ntp.ip-ttl=1 IP TTL to use while sending NTP query -# --collector.ntp.max-distance=3.46608s -# Max accumulated distance to the root -# --collector.ntp.local-offset-tolerance=1ms -# Offset between local clock and local ntpd time -# to tolerate -# --path.procfs="/proc" procfs mountpoint. -# --path.sysfs="/sys" sysfs mountpoint. -# --collector.qdisc.fixtures="" -# test fixtures to use for qdisc collector -# end-to-end testing -# --collector.runit.servicedir="/etc/service" -# Path to runit service directory. -# --collector.supervisord.url="http://localhost:9001/RPC2" -# XML RPC endpoint. -# --collector.systemd.unit-whitelist=".+" -# Regexp of systemd units to whitelist. Units must -# both match whitelist and not match blacklist to -# be included. -# --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)" -# Regexp of systemd units to blacklist. Units must -# both match whitelist and not match blacklist to -# be included. -# --collector.systemd.private -# Establish a private, direct connection to -# systemd without dbus. -# --collector.textfile.directory="/var/lib/prometheus/node-exporter" -# Directory to read text files with metrics from. -# --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*" -# Regexp of fields to return for vmstat collector. -# --collector.wifi.fixtures="" -# test fixtures to use for wifi collector metrics -# --collector.arp Enable the arp collector (default: enabled). -# --collector.bcache Enable the bcache collector (default: enabled). -# --collector.bonding Enable the bonding collector (default: enabled). -# --collector.buddyinfo Enable the buddyinfo collector (default: -# disabled). -# --collector.conntrack Enable the conntrack collector (default: -# enabled). -# --collector.cpu Enable the cpu collector (default: enabled). -# --collector.diskstats Enable the diskstats collector (default: -# enabled). -# --collector.drbd Enable the drbd collector (default: disabled). -# --collector.edac Enable the edac collector (default: enabled). -# --collector.entropy Enable the entropy collector (default: enabled). -# --collector.filefd Enable the filefd collector (default: enabled). -# --collector.filesystem Enable the filesystem collector (default: -# enabled). -# --collector.hwmon Enable the hwmon collector (default: enabled). -# --collector.infiniband Enable the infiniband collector (default: -# enabled). -# --collector.interrupts Enable the interrupts collector (default: -# disabled). -# --collector.ipvs Enable the ipvs collector (default: enabled). -# --collector.ksmd Enable the ksmd collector (default: disabled). -# --collector.loadavg Enable the loadavg collector (default: enabled). -# --collector.logind Enable the logind collector (default: disabled). -# --collector.mdadm Enable the mdadm collector (default: enabled). -# --collector.meminfo Enable the meminfo collector (default: enabled). -# --collector.meminfo_numa Enable the meminfo_numa collector (default: -# disabled). -# --collector.mountstats Enable the mountstats collector (default: -# disabled). -# --collector.netdev Enable the netdev collector (default: enabled). -# --collector.netstat Enable the netstat collector (default: enabled). -# --collector.nfs Enable the nfs collector (default: enabled). -# --collector.nfsd Enable the nfsd collector (default: enabled). -# --collector.ntp Enable the ntp collector (default: disabled). -# --collector.qdisc Enable the qdisc collector (default: disabled). -# --collector.runit Enable the runit collector (default: disabled). -# --collector.sockstat Enable the sockstat collector (default: -# enabled). -# --collector.stat Enable the stat collector (default: enabled). -# --collector.supervisord Enable the supervisord collector (default: -# disabled). -# --collector.systemd Enable the systemd collector (default: enabled). -# --collector.tcpstat Enable the tcpstat collector (default: -# disabled). -# --collector.textfile Enable the textfile collector (default: -# enabled). -# --collector.time Enable the time collector (default: enabled). -# --collector.uname Enable the uname collector (default: enabled). -# --collector.vmstat Enable the vmstat collector (default: enabled). -# --collector.wifi Enable the wifi collector (default: enabled). -# --collector.xfs Enable the xfs collector (default: enabled). -# --collector.zfs Enable the zfs collector (default: enabled). -# --collector.timex Enable the timex collector (default: enabled). -# --web.listen-address=":9100" -# Address on which to expose metrics and web -# interface. -# --web.telemetry-path="/metrics" -# Path under which to expose metrics. -# --log.level="info" Only log messages with the given severity or -# above. Valid levels: [debug, info, warn, error, -# fatal] -# --log.format="logger:stderr" -# Set the log target and format. Example: -# "logger:syslog?appname=bob&local=7" or -# "logger:stdout?json=true" diff --git a/roles/node_exporter/handlers/main.yml b/roles/node_exporter/handlers/main.yml deleted file mode 100644 index 5b1ac83..0000000 --- a/roles/node_exporter/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: "restart node-exporter" - service: - name: prometheus-node-exporter.service - state: restarted diff --git a/roles/node_exporter/tasks/main.yml b/roles/node_exporter/tasks/main.yml deleted file mode 100644 index 5cc4df5..0000000 --- a/roles/node_exporter/tasks/main.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- - -### tags: - -- name: "Ensure prometheus-node-exporter ist installed" - apt: - pkg: - - prometheus-node-exporter - - prometheus-node-exporter-collectors - tags: - - node_exporter - -- name: "checking for default config" - stat: - path: /etc/default/prometheus-node-exporter - register: default_config - tags: - - node_exporter - -- name: "providing default config" - copy: - src: default_config - dest: /etc/default/prometheus-node-exporter - owner: root - group: root - mode: '0644' - when: - - not default_config.stat.exists - tags: - - node_exporter - -- name: "Setup prometheus-node-exporter interface bind" - lineinfile: - path: /etc/default/prometheus-node-exporter - regex: "^ARGS=" - line: "ARGS=\"--web.listen-address='{{ node_exporter_listen_address }}:{{ monitor_port_system }}'\"" - notify: restart node-exporter - tags: - - node_exporter - -- name: "Ensure prometheus-node-exporter is running" - service: - name: prometheus-node-exporter - state: started - tags: - - node_exporter diff --git a/roles/pgadmin4/tasks/main.yml b/roles/pgadmin4/tasks/main.yml index 014081c..a75ca7e 100644 --- a/roles/pgadmin4/tasks/main.yml +++ b/roles/pgadmin4/tasks/main.yml @@ -29,7 +29,7 @@ - name: "Deploy docker templates for {{ inventory_hostname }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -43,7 +43,7 @@ - name: "Deploy service templates for {{ inventory_hostname }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "pgadmin4" diff --git a/roles/prometheus/tasks/_update_config.yml b/roles/prometheus/tasks/_update_config.yml index 2309392..4525603 100644 --- a/roles/prometheus/tasks/_update_config.yml +++ b/roles/prometheus/tasks/_update_config.yml @@ -5,7 +5,7 @@ - name: "Deploy service templates for {{ inventory_hostname }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "prometheus" diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml index ecd8dba..d24dd9c 100644 --- a/roles/prometheus/tasks/main.yml +++ b/roles/prometheus/tasks/main.yml @@ -44,7 +44,7 @@ - name: "Deploy docker templates for {{ inventory_hostname }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" diff --git a/roles/shared_service/tasks/main.yml b/roles/shared_service/tasks/main.yml index 5cb295a..d8b2ec6 100644 --- a/roles/shared_service/tasks/main.yml +++ b/roles/shared_service/tasks/main.yml @@ -46,7 +46,7 @@ - name: "Deploying docker templates for <{{ current_service_id }}>" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -58,7 +58,7 @@ - name: "Deploying service templates for <{{ current_service_id }}>" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "{{ current_service }}" diff --git a/roles/sma_deploy/defaults/main.yml b/roles/sma_deploy/defaults/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/sma_deploy/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/sma_deploy/tasks/htpasswd.yml b/roles/sma_deploy/tasks/htpasswd.yml deleted file mode 100644 index 827d169..0000000 --- a/roles/sma_deploy/tasks/htpasswd.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "Create empty htpswd file" - ansible.builtin.file: - path: "{{ htpasswd_file_path }}" - state: touch - mode: '0600' - -- name: "Add a user and password to empty htpswd file>" - community.general.htpasswd: - path: "{{ htpasswd_file_path }}" - name: "{{ basic_auth_username }}" - password: "{{ basic_auth_password }}" - mode: '0600' - -- name: "Read credentials out of htpasswd file" - ansible.builtin.slurp: - src: "{{ htpasswd_file_path }}" - register: "credentials" - -- name: "Delete htpasswd file" - ansible.builtin.file: - path: "{{ htpasswd_file_path }}" - state: absent - -- name: "Setting htpasswd to <{{ credentials_name }}>" ## noqa var-naming - ansible.builtin.set_fact: "{{ credentials_name }}={{ credentials.content | b64decode | trim | replace('$','$$') }}" diff --git a/roles/sma_deploy/tasks/templates.yml b/roles/sma_deploy/tasks/templates.yml deleted file mode 100644 index 15de7d9..0000000 --- a/roles/sma_deploy/tasks/templates.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- - -### tags: -### update_certs -### update_config -### update_deployment - -- name: 'Delete {{ current_base_path }}/{{ current_destination }}' - file: - state: absent - path: "{{ current_base_path }}/{{ current_destination }}" - when: cleanup_destination is defined and cleanup_destination == "true" - tags: - - update_certs - - update_config - - update_deployment - -- name: 'Ensures {{ current_base_path }}/{{ current_destination }} directory exists' - file: - state: directory - path: '{{ current_base_path }}/{{ current_destination }}' - mode: '0755' - tags: - - update_certs - - update_config - - update_deployment - -- name: 'Ensure directory structure for {{ current_config }} exists' - file: - path: "{{ current_base_path }}/{{ current_destination }}/{{ item.path }}" - state: directory - owner: "{{ current_owner }}" - group: "{{ current_group }}" - mode: 0755 - with_filetree: "templates/{{ current_config }}" - when: item.state == "directory" - tags: - - update_certs - - update_config - - update_deployment - -- name: Ensure config template files are populated from templates/{{ current_config }} - template: - src: "{{ item.src }}" - dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path | regex_replace('\\.j2$', '') }}" - owner: "{{ current_owner }}" - group: "{{ current_group }}" - mode: 0644 - with_filetree: "templates/{{ current_config }}" - when: item.state == 'file' and item.src is match('.*\.j2$') - tags: - - update_certs - - update_config - - update_deployment - -- name: Ensure config files are populated from from templates/{{ current_config }} - copy: - src: "{{ item.src }}" - dest: "{{ current_base_path }}/{{ current_destination }}/{{ item.path }}" - owner: "{{ current_owner }}" - group: "{{ current_group }}" - mode: 0644 - with_filetree: "templates/{{ current_config }}" - when: item.state == 'file' and item.src is not match('.*\.j2$') - tags: - - update_certs - - update_config - - update_deployment diff --git a/roles/sma_deploy/vars/main.yml b/roles/sma_deploy/vars/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/sma_deploy/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml deleted file mode 100644 index 5de8182..0000000 --- a/roles/traefik/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- - -traefik_image_name: "traefik" -traefik_dns_01_challenge: true diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml deleted file mode 100644 index f9a96fd..0000000 --- a/roles/traefik/tasks/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -### tags: - -- name: "Check if traefik/docker-compose.yml exists" - stat: - path: '{{ service_base_path }}/traefik/docker-compose.yml' - register: check_docker_compose_file - -- name: "Stop traefik" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/traefik' - state: absent - when: check_docker_compose_file.stat.exists - -- name: "Deploy docker templates for traefik" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "_docker" - current_base_path: "{{ service_base_path }}" - current_destination: "traefik" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - current_docker: "{{ traefik_docker }}" - -- name: "Deploy service templates for traefik" - include_role: - name: sma_deploy - tasks_from: templates - vars: - current_config: "traefik" - current_base_path: "{{ service_base_path }}" - current_destination: "traefik" - current_owner: "{{ docker_owner }}" - current_group: "{{ docker_group }}" - -- name: "Ensure acme.json exists" - copy: - content: "" - dest: '{{ service_base_path }}/traefik/acme.json' - force: no - owner: "{{ docker_owner }}" - group: "{{ docker_group }}" - mode: '0600' - -- name: "Update traefik" - community.docker.docker_compose: - project_src: '{{ service_base_path }}/traefik' - state: present - pull: yes - tags: - - update_deployment diff --git a/roles/traefik/vars/main.yml b/roles/traefik/vars/main.yml deleted file mode 100644 index d7185f9..0000000 --- a/roles/traefik/vars/main.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- - -traefik_id: "{{ inventory_hostname }}-traefik" - -traefik_environment_digitalocean: [ - 'DO_AUTH_TOKEN: "{% if traefik_dns_01_challenge %}{{ digitalocean_authentication_token }}{% else %}{% endif %}"', -] -traefik_environment_hetzner: [ - 'HETZNER_API_KEY: "{% if traefik_dns_01_challenge %}{{ hetzner_dns_api_key }}{% else %}{% endif %}"', -] -traefik_environment_dns: "{{ traefik_environment_digitalocean if dns == 'digitalocean' else traefik_environment_hetzner if dns == 'hetzner' else [] }}" - -traefik_docker: { - networks: [ - { - name: front-tier, - external: 'true', - }, - ], - services: [ - { - name: "{{ traefik_id }}", - image_name: "{{ traefik_image_name }}", - image_version: "{{ traefik_version }}", - environment: "{{ traefik_environment_dns }}", - volumes: [ - '"./acme.json:/acme.json"', - '"./traefik.toml:/traefik.toml:ro"', - '"./traefik_dynamic.toml:/traefik_dynamic.toml:ro"', - '"/var/run/docker.sock:/var/run/docker.sock:ro"', - '"./config/static_files:/var/www/static_files:ro"', - ], - networks: [ - '"front-tier"' - ], - ports: [ - { - external: "0.0.0.0:{{ http_port }}", - internal: "{{ http_port }}" - }, - { - external: "0.0.0.0:{{ https_port }}", - internal: "{{ https_port }}" - }, - { - external: "0.0.0.0:{{ service_port_git }}", - internal: "{{ service_port_git }}" - }, - { - external: "0.0.0.0:{{ service_port_pgadmin }}", - internal: "{{ service_port_pgadmin }}" - }, - { - external: "0.0.0.0:{{ service_port_phpmyadmin }}", - internal: "{{ service_port_phpmyadmin }}" - }, - { - external: "0.0.0.0:{{ admin_port_traefik }}", - internal: "{{ admin_port_traefik }}" - }, - { - external: "0.0.0.0:{{ admin_port_service }}", - internal: "{{ admin_port_service }}" - }, - { - external: "0.0.0.0:{{ monitor_port_docker }}", - internal: "{{ monitor_port_docker }}" - }, - { - external: "0.0.0.0:{{ monitor_port_harbor }}", - internal: "{{ monitor_port_harbor }}" - }, - ], - } - ] -} diff --git a/roles/webdav/tasks/main.yaml b/roles/webdav/tasks/main.yaml index c47031d..58dd60d 100644 --- a/roles/webdav/tasks/main.yaml +++ b/roles/webdav/tasks/main.yaml @@ -15,7 +15,7 @@ - name: "Deploy docker templates for {{ inventory_hostname }}" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "_docker" @@ -27,7 +27,7 @@ - name: "Deploy service templates for webdav" include_role: - name: sma_deploy + name: hetzner-ansible-sma-deploy tasks_from: templates vars: current_config: "webdav" diff --git a/setup.yml b/setup.yml index 066c13d..fb4652d 100644 --- a/setup.yml +++ b/setup.yml @@ -48,31 +48,35 @@ when: - docker_enabled - - role: common + - role: hetzner-ansible-common tags: - common + + - role: devsec.hardening.ssh_hardening + tags: + - ssh_hardening - - role: node_exporter + - role: hetzner-ansible-node-exporter when: - node_exporter_enabled tags: - node-exporter - - role: filebeat + - role: hetzner-ansible-filebeat when: - docker_enabled - filebeat_enabled tags: - filebeat - - role: metricbeat + - role: hetzner-ansible-metricbeat when: - docker_enabled - metricbeat_enabled tags: - metricbeat - - role: traefik + - role: hetzner-ansible-traefik when: - docker_enabled - traefik_enabled diff --git a/stage-dev b/stage-dev index fad65ee..4d5d762 100644 --- a/stage-dev +++ b/stage-dev @@ -59,9 +59,6 @@ dev-devops-iaas-01 [webdav] #dev-webdav-01 -[test] -dev-test-roles-01 - [kube_control_plane] devnso-kube-cpl-01 devnso-kube-cpl-02