diff --git a/molecule/no_tls_multi_node/converge.yml b/molecule/no_tls_multi_node/converge.yml index cbc0a88..53e107e 100644 --- a/molecule/no_tls_multi_node/converge.yml +++ b/molecule/no_tls_multi_node/converge.yml @@ -1,3 +1,9 @@ --- +- name: Include a playbook from a collection + ansible.builtin.import_playbook: ednxzu.hashistack.preflight.yml + +- name: Include a playbook from a collection + ansible.builtin.import_playbook: ednxzu.hashistack.prepare.yml + - name: Include a playbook from a collection ansible.builtin.import_playbook: ednxzu.hashistack.deploy.yml diff --git a/playbooks/preflight.yml b/playbooks/preflight.yml new file mode 100644 index 0000000..3c1ff7f --- /dev/null +++ b/playbooks/preflight.yml @@ -0,0 +1,9 @@ +--- +# hashistack deployment playbook +- name: "Preflight" + hosts: all + gather_facts: true + tasks: + - name: "Debug" + ansible.builtin.debug: + msg: "{{ ansible_hostname }}" diff --git a/roles/hashicorp_consul/LICENSE b/roles/hashicorp_consul/LICENSE deleted file mode 100644 index c9a37e5..0000000 --- a/roles/hashicorp_consul/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2017 Bertrand Lanson - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/roles/hashicorp_consul/README.md b/roles/hashicorp_consul/README.md deleted file mode 100644 index e349875..0000000 --- a/roles/hashicorp_consul/README.md +++ /dev/null @@ -1,106 +0,0 @@ -hashicorp_consul -========= -> This repository is only a mirror. Development and testing is done on a private gitea server. - -This role install and configure consul on **debian-based** distributions. - -Requirements ------------- - -None. - -Role Variables --------------- -Available variables are listed below, along with default values. A sample file for the default values is available in `default/hashicorp_consul.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. - -```yaml -hashi_consul_install: true # by default, set to true -``` -This variable defines if the consul package is to be installed or not before configuring. If you install consul using another task, you can set this to `false`. - -```yaml -hashi_consul_auto_update: false # by default, set to false -``` -This variable allows you to choose to automatically update consul if a newer version is available. Updating consul is usually pretty safe if done on a regular basis, but for better control over the upgrade process, see `hashi_consul_version`. - -```yaml -hashi_consul_start_service: true -``` -This variable defines if the consul service should be started once it has been configured. This is usefull in case you're using this role to build golden images, in which case you might want to only enable the service, to have it start on the next boot (when the image is launched) - -```yaml -hashi_consul_version: latest # by default, set to latest -``` -This variable specifies the version of consul to install when `hashi_consul_install` is set to `true`. The version to specify is the version of the package on the hashicorp repository (`1.14.1-1` for example). This can be found by running `apt-cache madison consul` on a machine with the repository installed. - -```yaml -hashi_consul_deploy_method: host # by default, set to host -``` -This variable defines the method of deployment of consul. The `host` method installs the binary directly on the host, and runs consul as a systemd service. The `docker` method install consul as a docker container. -> Currently, only the `host` method is available, the `docker` method will be added later. - -```yaml -hashi_consul_env_variables: # by default, set to {} - env_var: value -``` -This value is a list of key/value that will populate the `consul.env` file. You do not have to capitalize the KEYS, as it will be done automatically. - -```yaml -hashi_consul_data_dir: "/opt/consul" # by default, set to /opt/consul -``` -This value defines the path where consul data will be stored on the node. Defaults to `/opt/consul`. - -```yaml -hashi_consul_extra_files: false # by default, set to false -``` -This variable defines whether or not there is extra configuration files to copy to the target. If there are, these extra files are expected to be jinja2 templates located all in the same directory, and will be copied to the specified directory on the target machine. - -```yaml -hashi_consul_extra_files_src: /tmp/extra_files # by default, set to /tmp/extra_files -``` -This variable defines the source directory (without the trailing /) for the extra files to be copied in case there are some. - -```yaml -hashi_consul_extra_files_dst: /etc/consul.d/extra_files # by default, set to /etc/consul.d/extra_files -``` -This variable defines the destination directory (without the trailing /) for the extra files to be copied. - -```yaml -hashi_consul_envoy_install: false # by default, set to false -``` -This variable allows you to install the envoy binary on the consul node, in case you need to deploy connect proxies. This feature is usefull when deploying consul agents that will handle services in the service mesh. It is NOT required on server nodes (since they most likely wont have services running in service mesh). -```yaml -hashi_consul_envoy_version: latest # by default, set to latest -``` -This variable defines which version of envoy to install in case `hashi_consul_envoy_install` is set to true. **IMPORTANT:** The `latest` version set by default is not guaranteed to work, please refer to the [documentation](https://developer.hashicorp.com/consul/docs/connect/proxies/envoy#supported-versions) for informations about the support matrix for consul and envoy. - -```yaml -hashi_consul_configuration: {} # by default, set to a simple configuration -``` -This variable sets all of the configuration parameters for consul. For more information on all of them, please check the [documentation](https://developer.hashicorp.com/consul/docs/agent/config/config-files). This variable is parsed and converted to json format to create the config file, so each key and value should be set according to the documentation. This method of passing configuration allows for compatibility with every configuration parameters that consul has to offer. The defaults are simply here to deploy a simple, single-node consul server without much configuration, and should NOT be used in production. You will want to edit this to deploy production-ready clusters. - -Dependencies ------------- - -`ednxzu.manage_repositories` to configure the hashicorp apt repository. -`ednxzu.manage_apt_packages` to install consul. - -Example Playbook ----------------- - -```yaml -# calling the role inside a playbook with either the default or group_vars/host_vars -- hosts: servers - roles: - - ednxzu.hashicorp_consul -``` - -License -------- - -MIT / BSD - -Author Information ------------------- - -This role was created by Bertrand Lanson in 2023. diff --git a/roles/hashicorp_consul/defaults/hashicorp_consul.yml.sample b/roles/hashicorp_consul/defaults/hashicorp_consul.yml.sample deleted file mode 100644 index c644129..0000000 --- a/roles/hashicorp_consul/defaults/hashicorp_consul.yml.sample +++ /dev/null @@ -1,69 +0,0 @@ ---- -# hashi_consul_install: true -# hashi_consul_auto_update: false -# hashi_consul_start_service: true -# hashi_consul_version: latest -# hashi_consul_deploy_method: host # deployment method, either host or docker. -# hashi_consul_env_variables: {} -# hashi_consul_data_dir: "/opt/consul" -# hashi_consul_extra_files: false -# hashi_consul_extra_files_src: /tmp/extra_files -# hashi_consul_extra_files_dst: /etc/consul.d/extra_files -# hashi_consul_envoy_install: false -# hashi_consul_envoy_version: latest -# #! consul configuration -# hashi_consul_configuration: -# domain: consul -# datacenter: dc1 -# primary_datacenter: dc1 -# client_addr: "0.0.0.0" -# bind_addr: "{{ ansible_default_ipv4.address }}" -# advertise_addr: "{{ ansible_default_ipv4.address }}" -# data_dir: "{{ hashi_consul_data_dir }}" -# encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" -# server: true -# bootstrap_expect: 1 -# retry_join: -# - "{{ ansible_default_ipv4.address }}" -# ui_config: -# enabled: true -# connect: -# enabled: false -# leave_on_terminate: true -# rejoin_after_leave: true -# enable_script_checks: true -# enable_syslog: true -# log_level: INFO -# acl: -# enabled: false -# default_policy: "allow" -# enable_token_persistence: true -# tokens: -# initial_management: "" -# agent: "" -# dns_config: -# allow_stale: true -# enable_truncate: true -# only_passing: true -# ports: -# dns: 8600 -# http: 8500 -# https: -1 -# grpc: 8502 -# grpc_tls: 8503 -# server: 8300 -# serf_lan: 8301 -# serf_wan: 8302 -# sidecar_min_port: 21000 -# sidecar_max_port: 21255 -# expose_min_port: 21500 -# expose_max_port: 21755 -# # tls: -# # defaults: -# # ca_file: "{{ hashi_consul_data_dir }}/tls/ca.pem" -# # cert_file: "{{ hashi_consul_data_dir }}/tls/cert.pem" -# # key_file: "{{ hashi_consul_data_dir }}/tls/key.pem" -# # verify_incoming: false -# # verify_outgoing: true -# # grpc: {} -# # https: {} diff --git a/roles/hashicorp_consul/defaults/main.yml b/roles/hashicorp_consul/defaults/main.yml deleted file mode 100644 index 6a35bca..0000000 --- a/roles/hashicorp_consul/defaults/main.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -# defaults file for hashicorp_consul -hashi_consul_install: true -hashi_consul_auto_update: false -hashi_consul_start_service: true -hashi_consul_version: latest -hashi_consul_deploy_method: host # deployment method, either host or docker. -hashi_consul_env_variables: {} -hashi_consul_data_dir: "/opt/consul" -hashi_consul_extra_files: false -hashi_consul_extra_files_src: /tmp/extra_files -hashi_consul_extra_files_dst: /etc/consul.d/extra_files -hashi_consul_envoy_install: false -hashi_consul_envoy_version: latest -#! consul configuration -hashi_consul_configuration: - domain: consul - datacenter: dc1 - primary_datacenter: dc1 - client_addr: "0.0.0.0" - bind_addr: "{{ ansible_default_ipv4.address }}" - advertise_addr: "{{ ansible_default_ipv4.address }}" - data_dir: "{{ hashi_consul_data_dir }}" - encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" - server: true - bootstrap_expect: 1 - retry_join: - - "{{ ansible_default_ipv4.address }}" - ui_config: - enabled: true - connect: - enabled: false - leave_on_terminate: true - rejoin_after_leave: true - enable_script_checks: true - enable_syslog: true - log_level: INFO - acl: - enabled: false - default_policy: "allow" - enable_token_persistence: true - tokens: - initial_management: "" - agent: "" - dns_config: - allow_stale: true - enable_truncate: true - only_passing: true - ports: - dns: 8600 - http: 8500 - https: -1 - grpc: 8502 - grpc_tls: 8503 - server: 8300 - serf_lan: 8301 - serf_wan: 8302 - sidecar_min_port: 21000 - sidecar_max_port: 21255 - expose_min_port: 21500 - expose_max_port: 21755 - # tls: - # defaults: - # ca_file: "{{ hashi_consul_data_dir }}/tls/ca.pem" - # cert_file: "{{ hashi_consul_data_dir }}/tls/cert.pem" - # key_file: "{{ hashi_consul_data_dir }}/tls/key.pem" - # verify_incoming: false - # verify_outgoing: true - # grpc: {} - # https: {} diff --git a/roles/hashicorp_consul/files/.gitkeep b/roles/hashicorp_consul/files/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/roles/hashicorp_consul/handlers/main.yml b/roles/hashicorp_consul/handlers/main.yml deleted file mode 100644 index bbf20d9..0000000 --- a/roles/hashicorp_consul/handlers/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# handlers file for hashicorp_consul -- name: "Reload systemd file" - ansible.builtin.systemd: - daemon_reload: true - listen: "systemctl-daemon-reload" - -- name: "Enable consul service" - ansible.builtin.service: - name: consul - enabled: true - listen: "systemctl-enable-consul" - -- name: "Start consul service" - ansible.builtin.service: - name: consul - state: restarted - listen: "systemctl-restart-consul" - throttle: 1 - when: hashi_consul_start_service diff --git a/roles/hashicorp_consul/meta/main.yml b/roles/hashicorp_consul/meta/main.yml deleted file mode 100644 index 92a54a8..0000000 --- a/roles/hashicorp_consul/meta/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# meta file for hashicorp_consul -galaxy_info: - namespace: 'ednxzu' - role_name: 'hashicorp_consul' - author: 'Bertrand Lanson' - description: 'Install and configure hashicorp consul for debian-based distros.' - license: 'license (BSD, MIT)' - min_ansible_version: '2.10' - platforms: - - name: Ubuntu - versions: - - focal - - jammy - - name: Debian - versions: - - bullseye - - bookworm - galaxy_tags: - - 'ubuntu' - - 'debian' - - 'hashicorp' - - 'consul' - -dependencies: [] diff --git a/roles/hashicorp_consul/molecule/default/converge.yml b/roles/hashicorp_consul/molecule/default/converge.yml deleted file mode 100644 index 836464f..0000000 --- a/roles/hashicorp_consul/molecule/default/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_consul" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_consul" diff --git a/roles/hashicorp_consul/molecule/default/molecule.yml b/roles/hashicorp_consul/molecule/default/molecule.yml deleted file mode 100644 index 49efc7f..0000000 --- a/roles/hashicorp_consul/molecule/default/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_consul/molecule/default/requirements.yml b/roles/hashicorp_consul/molecule/default/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_consul/molecule/default/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_consul/molecule/default/verify.yml b/roles/hashicorp_consul/molecule/default/verify.yml deleted file mode 100644 index 762ae27..0000000 --- a/roles/hashicorp_consul/molecule/default/verify.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: consul user and group" - block: - - name: "Getent user consul" - ansible.builtin.getent: - database: passwd - key: consul - register: consul_user - - - name: "Getent group consul" - ansible.builtin.getent: - database: group - key: consul - register: consul_group - - - name: "Verify consul user and group" - ansible.builtin.assert: - that: - - not consul_user.failed - - not consul_group.failed - - "'consul' in consul_user.ansible_facts.getent_passwd.keys()" - - "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']" - - "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']" - - "'consul' in consul_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/consul.d" - block: - - name: "Stat directory /etc/consul.d" - ansible.builtin.stat: - path: "/etc/consul.d" - register: stat_etc_consul_d - - - name: "Stat file /etc/consul.d/consul.env" - ansible.builtin.stat: - path: "/etc/consul.d/consul.env" - register: stat_etc_consul_d_consul_env - - - name: "Stat file /etc/consul.d/consul.json" - ansible.builtin.stat: - path: "/etc/consul.d/consul.json" - register: stat_etc_consul_d_consul_json - - - name: "Slurp file /etc/consul.d/consul.json" - ansible.builtin.slurp: - src: "/etc/consul.d/consul.json" - register: slurp_etc_consul_d_consul_json - - - name: "Verify directory /etc/consul.d" - ansible.builtin.assert: - that: - - stat_etc_consul_d.stat.exists - - stat_etc_consul_d.stat.isdir - - stat_etc_consul_d.stat.pw_name == 'consul' - - stat_etc_consul_d.stat.gr_name == 'consul' - - stat_etc_consul_d.stat.mode == '0755' - - stat_etc_consul_d_consul_env.stat.exists - - stat_etc_consul_d_consul_env.stat.isreg - - stat_etc_consul_d_consul_env.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_env.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_env.stat.mode == '0600' - - stat_etc_consul_d_consul_json.stat.exists - - stat_etc_consul_d_consul_json.stat.isreg - - stat_etc_consul_d_consul_json.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_json.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_json.stat.mode == '0600' - - slurp_etc_consul_d_consul_json.content != '' - - - name: "Test: directory /opt/consul" - block: - - name: "Stat directory /opt/consul" - ansible.builtin.stat: - path: "/opt/consul" - register: stat_opt_consul - - - name: "Verify directory /opt/consul" - ansible.builtin.assert: - that: - - stat_opt_consul.stat.exists - - stat_opt_consul.stat.isdir - - stat_opt_consul.stat.pw_name == 'consul' - - stat_opt_consul.stat.gr_name == 'consul' - - stat_opt_consul.stat.mode == '0755' - - - name: "Test: service consul" - block: - - name: "Get service consul" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul.service" - register: stat_etc_systemd_system_consul_service - - - name: "Slurp file /etc/systemd/system/consul.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul.service" - register: slurp_etc_systemd_system_consul_service - - - name: "Verify service consul" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_service.stat.exists - - stat_etc_systemd_system_consul_service.stat.isreg - - stat_etc_systemd_system_consul_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_service.content != '' - - ansible_facts.services['consul.service'] is defined - - ansible_facts.services['consul.service']['source'] == 'systemd' - - ansible_facts.services['consul.service']['state'] == 'running' - - ansible_facts.services['consul.service']['status'] == 'enabled' - - - name: "Test: interaction consul" - block: - - name: "Command consul kv put" - ansible.builtin.command: "consul kv put foo bar" - changed_when: false - register: consul_kv_put - - - name: "Command consul kv get" - ansible.builtin.command: "consul kv get foo" - changed_when: false - register: consul_kv_get - - - name: "Command consul kv delete" - ansible.builtin.command: "consul kv delete foo" - changed_when: false - register: consul_kv_delete - - - name: "Command consul members" - ansible.builtin.command: "consul members" - changed_when: false - register: consul_members - - - name: "Verify consul interaction" - ansible.builtin.assert: - that: - - "'instance' in consul_members.stdout" - - consul_kv_put.stdout == 'Success! Data written to: foo' - - consul_kv_get.stdout == 'bar' - - consul_kv_delete.stdout == 'Success! Deleted key: foo' diff --git a/roles/hashicorp_consul/molecule/default_vagrant/converge.yml b/roles/hashicorp_consul/molecule/default_vagrant/converge.yml deleted file mode 100644 index 836464f..0000000 --- a/roles/hashicorp_consul/molecule/default_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_consul" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_consul" diff --git a/roles/hashicorp_consul/molecule/default_vagrant/molecule.yml b/roles/hashicorp_consul/molecule/default_vagrant/molecule.yml deleted file mode 100644 index 2b02360..0000000 --- a/roles/hashicorp_consul/molecule/default_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_consul/molecule/default_vagrant/requirements.yml b/roles/hashicorp_consul/molecule/default_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_consul/molecule/default_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_consul/molecule/default_vagrant/verify.yml b/roles/hashicorp_consul/molecule/default_vagrant/verify.yml deleted file mode 100644 index 762ae27..0000000 --- a/roles/hashicorp_consul/molecule/default_vagrant/verify.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: consul user and group" - block: - - name: "Getent user consul" - ansible.builtin.getent: - database: passwd - key: consul - register: consul_user - - - name: "Getent group consul" - ansible.builtin.getent: - database: group - key: consul - register: consul_group - - - name: "Verify consul user and group" - ansible.builtin.assert: - that: - - not consul_user.failed - - not consul_group.failed - - "'consul' in consul_user.ansible_facts.getent_passwd.keys()" - - "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']" - - "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']" - - "'consul' in consul_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/consul.d" - block: - - name: "Stat directory /etc/consul.d" - ansible.builtin.stat: - path: "/etc/consul.d" - register: stat_etc_consul_d - - - name: "Stat file /etc/consul.d/consul.env" - ansible.builtin.stat: - path: "/etc/consul.d/consul.env" - register: stat_etc_consul_d_consul_env - - - name: "Stat file /etc/consul.d/consul.json" - ansible.builtin.stat: - path: "/etc/consul.d/consul.json" - register: stat_etc_consul_d_consul_json - - - name: "Slurp file /etc/consul.d/consul.json" - ansible.builtin.slurp: - src: "/etc/consul.d/consul.json" - register: slurp_etc_consul_d_consul_json - - - name: "Verify directory /etc/consul.d" - ansible.builtin.assert: - that: - - stat_etc_consul_d.stat.exists - - stat_etc_consul_d.stat.isdir - - stat_etc_consul_d.stat.pw_name == 'consul' - - stat_etc_consul_d.stat.gr_name == 'consul' - - stat_etc_consul_d.stat.mode == '0755' - - stat_etc_consul_d_consul_env.stat.exists - - stat_etc_consul_d_consul_env.stat.isreg - - stat_etc_consul_d_consul_env.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_env.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_env.stat.mode == '0600' - - stat_etc_consul_d_consul_json.stat.exists - - stat_etc_consul_d_consul_json.stat.isreg - - stat_etc_consul_d_consul_json.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_json.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_json.stat.mode == '0600' - - slurp_etc_consul_d_consul_json.content != '' - - - name: "Test: directory /opt/consul" - block: - - name: "Stat directory /opt/consul" - ansible.builtin.stat: - path: "/opt/consul" - register: stat_opt_consul - - - name: "Verify directory /opt/consul" - ansible.builtin.assert: - that: - - stat_opt_consul.stat.exists - - stat_opt_consul.stat.isdir - - stat_opt_consul.stat.pw_name == 'consul' - - stat_opt_consul.stat.gr_name == 'consul' - - stat_opt_consul.stat.mode == '0755' - - - name: "Test: service consul" - block: - - name: "Get service consul" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul.service" - register: stat_etc_systemd_system_consul_service - - - name: "Slurp file /etc/systemd/system/consul.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul.service" - register: slurp_etc_systemd_system_consul_service - - - name: "Verify service consul" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_service.stat.exists - - stat_etc_systemd_system_consul_service.stat.isreg - - stat_etc_systemd_system_consul_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_service.content != '' - - ansible_facts.services['consul.service'] is defined - - ansible_facts.services['consul.service']['source'] == 'systemd' - - ansible_facts.services['consul.service']['state'] == 'running' - - ansible_facts.services['consul.service']['status'] == 'enabled' - - - name: "Test: interaction consul" - block: - - name: "Command consul kv put" - ansible.builtin.command: "consul kv put foo bar" - changed_when: false - register: consul_kv_put - - - name: "Command consul kv get" - ansible.builtin.command: "consul kv get foo" - changed_when: false - register: consul_kv_get - - - name: "Command consul kv delete" - ansible.builtin.command: "consul kv delete foo" - changed_when: false - register: consul_kv_delete - - - name: "Command consul members" - ansible.builtin.command: "consul members" - changed_when: false - register: consul_members - - - name: "Verify consul interaction" - ansible.builtin.assert: - that: - - "'instance' in consul_members.stdout" - - consul_kv_put.stdout == 'Success! Data written to: foo' - - consul_kv_get.stdout == 'bar' - - consul_kv_delete.stdout == 'Success! Deleted key: foo' diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled/converge.yml b/roles/hashicorp_consul/molecule/with_acl_enabled/converge.yml deleted file mode 100644 index 836464f..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_consul" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_consul" diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled/group_vars/all.yml b/roles/hashicorp_consul/molecule/with_acl_enabled/group_vars/all.yml deleted file mode 100644 index bdb7324..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled/group_vars/all.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -hashi_consul_install: true -hashi_consul_auto_update: true -hashi_consul_start_service: true -hashi_consul_version: latest -hashi_consul_deploy_method: host # deployment method, either host or docker. -hashi_consul_env_variables: {} -hashi_consul_data_dir: "/opt/consul" -hashi_consul_extra_files: false -hashi_consul_extra_files_src: /tmp/extra_files -hashi_consul_extra_files_dst: /etc/consul.d/extra_files -hashi_consul_envoy_install: true -hashi_consul_envoy_version: v1.26.3 -#! consul configuration -hashi_consul_configuration: - domain: consul - datacenter: dc1 - primary_datacenter: dc1 - client_addr: "0.0.0.0" - bind_addr: "{{ ansible_default_ipv4.address }}" - advertise_addr: "{{ ansible_default_ipv4.address }}" - data_dir: "{{ hashi_consul_data_dir }}" - encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" - server: true - bootstrap_expect: 1 - retry_join: - - "{{ ansible_default_ipv4.address }}" - ui_config: - enabled: true - connect: - enabled: false - leave_on_terminate: true - rejoin_after_leave: true - enable_script_checks: true - enable_syslog: true - log_level: INFO - acl: - enabled: true - default_policy: "deny" - enable_token_persistence: true - tokens: - initial_management: "1a1f2ce5-3730-47de-9a9c-89e037376bab" - agent: "1a1f2ce5-3730-47de-9a9c-89e037376bab" - dns_config: - allow_stale: true - enable_truncate: true - only_passing: true - ports: - dns: 8600 - http: 8500 - https: -1 - grpc: 8502 - grpc_tls: 8503 - server: 8300 - serf_lan: 8301 - serf_wan: 8302 - sidecar_min_port: 21000 - sidecar_max_port: 21255 - expose_min_port: 21500 - expose_max_port: 21755 - # tls: - # defaults: - # ca_file: "{{ hashi_consul_data_dir }}/tls/ca.pem" - # cert_file: "{{ hashi_consul_data_dir }}/tls/cert.pem" - # key_file: "{{ hashi_consul_data_dir }}/tls/key.pem" - # verify_incoming: false - # verify_outgoing: true - # grpc: {} - # https: {} diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled/molecule.yml b/roles/hashicorp_consul/molecule/with_acl_enabled/molecule.yml deleted file mode 100644 index 59630f1..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_acl_enabled - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled/requirements.yml b/roles/hashicorp_consul/molecule/with_acl_enabled/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled/verify.yml b/roles/hashicorp_consul/molecule/with_acl_enabled/verify.yml deleted file mode 100644 index 2ec5eea..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled/verify.yml +++ /dev/null @@ -1,156 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: consul user and group" - block: - - name: "Getent user consul" - ansible.builtin.getent: - database: passwd - key: consul - register: consul_user - - - name: "Getent group consul" - ansible.builtin.getent: - database: group - key: consul - register: consul_group - - - name: "Verify consul user and group" - ansible.builtin.assert: - that: - - not consul_user.failed - - not consul_group.failed - - "'consul' in consul_user.ansible_facts.getent_passwd.keys()" - - "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']" - - "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']" - - "'consul' in consul_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/consul.d" - block: - - name: "Stat directory /etc/consul.d" - ansible.builtin.stat: - path: "/etc/consul.d" - register: stat_etc_consul_d - - - name: "Stat file /etc/consul.d/consul.env" - ansible.builtin.stat: - path: "/etc/consul.d/consul.env" - register: stat_etc_consul_d_consul_env - - - name: "Stat file /etc/consul.d/consul.json" - ansible.builtin.stat: - path: "/etc/consul.d/consul.json" - register: stat_etc_consul_d_consul_json - - - name: "Slurp file /etc/consul.d/consul.json" - ansible.builtin.slurp: - src: "/etc/consul.d/consul.json" - register: slurp_etc_consul_d_consul_json - - - name: "Verify directory /etc/consul.d" - ansible.builtin.assert: - that: - - stat_etc_consul_d.stat.exists - - stat_etc_consul_d.stat.isdir - - stat_etc_consul_d.stat.pw_name == 'consul' - - stat_etc_consul_d.stat.gr_name == 'consul' - - stat_etc_consul_d.stat.mode == '0755' - - stat_etc_consul_d_consul_env.stat.exists - - stat_etc_consul_d_consul_env.stat.isreg - - stat_etc_consul_d_consul_env.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_env.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_env.stat.mode == '0600' - - stat_etc_consul_d_consul_json.stat.exists - - stat_etc_consul_d_consul_json.stat.isreg - - stat_etc_consul_d_consul_json.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_json.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_json.stat.mode == '0600' - - slurp_etc_consul_d_consul_json.content != '' - - - name: "Test: directory /opt/consul" - block: - - name: "Stat directory /opt/consul" - ansible.builtin.stat: - path: "/opt/consul" - register: stat_opt_consul - - - name: "Verify directory /opt/consul" - ansible.builtin.assert: - that: - - stat_opt_consul.stat.exists - - stat_opt_consul.stat.isdir - - stat_opt_consul.stat.pw_name == 'consul' - - stat_opt_consul.stat.gr_name == 'consul' - - stat_opt_consul.stat.mode == '0755' - - - name: "Test: service consul" - block: - - name: "Get service consul" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul.service" - register: stat_etc_systemd_system_consul_service - - - name: "Slurp file /etc/systemd/system/consul.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul.service" - register: slurp_etc_systemd_system_consul_service - - - name: "Verify service consul" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_service.stat.exists - - stat_etc_systemd_system_consul_service.stat.isreg - - stat_etc_systemd_system_consul_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_service.content != '' - - ansible_facts.services['consul.service'] is defined - - ansible_facts.services['consul.service']['source'] == 'systemd' - - ansible_facts.services['consul.service']['state'] == 'running' - - ansible_facts.services['consul.service']['status'] == 'enabled' - - - name: "Test: interaction consul" - vars: - acl_token: "1a1f2ce5-3730-47de-9a9c-89e037376bab" - block: - - name: "Command consul kv put" - ansible.builtin.command: "consul kv put foo bar" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_put - - - name: "Command consul kv get" - ansible.builtin.command: "consul kv get foo" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_get - - - name: "Command consul kv delete" - ansible.builtin.command: "consul kv delete foo" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_delete - - - name: "Command consul members" - ansible.builtin.command: "consul members" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_members - - - name: "Verify consul interaction" - ansible.builtin.assert: - that: - - "'instance' in consul_members.stdout" - - consul_kv_put.stdout == 'Success! Data written to: foo' - - consul_kv_get.stdout == 'bar' - - consul_kv_delete.stdout == 'Success! Deleted key: foo' diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/converge.yml b/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/converge.yml deleted file mode 100644 index 836464f..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_consul" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_consul" diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/group_vars/all.yml b/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/group_vars/all.yml deleted file mode 100644 index bdb7324..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/group_vars/all.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -hashi_consul_install: true -hashi_consul_auto_update: true -hashi_consul_start_service: true -hashi_consul_version: latest -hashi_consul_deploy_method: host # deployment method, either host or docker. -hashi_consul_env_variables: {} -hashi_consul_data_dir: "/opt/consul" -hashi_consul_extra_files: false -hashi_consul_extra_files_src: /tmp/extra_files -hashi_consul_extra_files_dst: /etc/consul.d/extra_files -hashi_consul_envoy_install: true -hashi_consul_envoy_version: v1.26.3 -#! consul configuration -hashi_consul_configuration: - domain: consul - datacenter: dc1 - primary_datacenter: dc1 - client_addr: "0.0.0.0" - bind_addr: "{{ ansible_default_ipv4.address }}" - advertise_addr: "{{ ansible_default_ipv4.address }}" - data_dir: "{{ hashi_consul_data_dir }}" - encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}" - server: true - bootstrap_expect: 1 - retry_join: - - "{{ ansible_default_ipv4.address }}" - ui_config: - enabled: true - connect: - enabled: false - leave_on_terminate: true - rejoin_after_leave: true - enable_script_checks: true - enable_syslog: true - log_level: INFO - acl: - enabled: true - default_policy: "deny" - enable_token_persistence: true - tokens: - initial_management: "1a1f2ce5-3730-47de-9a9c-89e037376bab" - agent: "1a1f2ce5-3730-47de-9a9c-89e037376bab" - dns_config: - allow_stale: true - enable_truncate: true - only_passing: true - ports: - dns: 8600 - http: 8500 - https: -1 - grpc: 8502 - grpc_tls: 8503 - server: 8300 - serf_lan: 8301 - serf_wan: 8302 - sidecar_min_port: 21000 - sidecar_max_port: 21255 - expose_min_port: 21500 - expose_max_port: 21755 - # tls: - # defaults: - # ca_file: "{{ hashi_consul_data_dir }}/tls/ca.pem" - # cert_file: "{{ hashi_consul_data_dir }}/tls/cert.pem" - # key_file: "{{ hashi_consul_data_dir }}/tls/key.pem" - # verify_incoming: false - # verify_outgoing: true - # grpc: {} - # https: {} diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/molecule.yml b/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/molecule.yml deleted file mode 100644 index 0e6b593..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_acl_enabled_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/requirements.yml b/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/verify.yml b/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/verify.yml deleted file mode 100644 index 2ec5eea..0000000 --- a/roles/hashicorp_consul/molecule/with_acl_enabled_vagrant/verify.yml +++ /dev/null @@ -1,156 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: consul user and group" - block: - - name: "Getent user consul" - ansible.builtin.getent: - database: passwd - key: consul - register: consul_user - - - name: "Getent group consul" - ansible.builtin.getent: - database: group - key: consul - register: consul_group - - - name: "Verify consul user and group" - ansible.builtin.assert: - that: - - not consul_user.failed - - not consul_group.failed - - "'consul' in consul_user.ansible_facts.getent_passwd.keys()" - - "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']" - - "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']" - - "'consul' in consul_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/consul.d" - block: - - name: "Stat directory /etc/consul.d" - ansible.builtin.stat: - path: "/etc/consul.d" - register: stat_etc_consul_d - - - name: "Stat file /etc/consul.d/consul.env" - ansible.builtin.stat: - path: "/etc/consul.d/consul.env" - register: stat_etc_consul_d_consul_env - - - name: "Stat file /etc/consul.d/consul.json" - ansible.builtin.stat: - path: "/etc/consul.d/consul.json" - register: stat_etc_consul_d_consul_json - - - name: "Slurp file /etc/consul.d/consul.json" - ansible.builtin.slurp: - src: "/etc/consul.d/consul.json" - register: slurp_etc_consul_d_consul_json - - - name: "Verify directory /etc/consul.d" - ansible.builtin.assert: - that: - - stat_etc_consul_d.stat.exists - - stat_etc_consul_d.stat.isdir - - stat_etc_consul_d.stat.pw_name == 'consul' - - stat_etc_consul_d.stat.gr_name == 'consul' - - stat_etc_consul_d.stat.mode == '0755' - - stat_etc_consul_d_consul_env.stat.exists - - stat_etc_consul_d_consul_env.stat.isreg - - stat_etc_consul_d_consul_env.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_env.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_env.stat.mode == '0600' - - stat_etc_consul_d_consul_json.stat.exists - - stat_etc_consul_d_consul_json.stat.isreg - - stat_etc_consul_d_consul_json.stat.pw_name == 'consul' - - stat_etc_consul_d_consul_json.stat.gr_name == 'consul' - - stat_etc_consul_d_consul_json.stat.mode == '0600' - - slurp_etc_consul_d_consul_json.content != '' - - - name: "Test: directory /opt/consul" - block: - - name: "Stat directory /opt/consul" - ansible.builtin.stat: - path: "/opt/consul" - register: stat_opt_consul - - - name: "Verify directory /opt/consul" - ansible.builtin.assert: - that: - - stat_opt_consul.stat.exists - - stat_opt_consul.stat.isdir - - stat_opt_consul.stat.pw_name == 'consul' - - stat_opt_consul.stat.gr_name == 'consul' - - stat_opt_consul.stat.mode == '0755' - - - name: "Test: service consul" - block: - - name: "Get service consul" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul.service" - register: stat_etc_systemd_system_consul_service - - - name: "Slurp file /etc/systemd/system/consul.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul.service" - register: slurp_etc_systemd_system_consul_service - - - name: "Verify service consul" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_service.stat.exists - - stat_etc_systemd_system_consul_service.stat.isreg - - stat_etc_systemd_system_consul_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_service.content != '' - - ansible_facts.services['consul.service'] is defined - - ansible_facts.services['consul.service']['source'] == 'systemd' - - ansible_facts.services['consul.service']['state'] == 'running' - - ansible_facts.services['consul.service']['status'] == 'enabled' - - - name: "Test: interaction consul" - vars: - acl_token: "1a1f2ce5-3730-47de-9a9c-89e037376bab" - block: - - name: "Command consul kv put" - ansible.builtin.command: "consul kv put foo bar" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_put - - - name: "Command consul kv get" - ansible.builtin.command: "consul kv get foo" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_get - - - name: "Command consul kv delete" - ansible.builtin.command: "consul kv delete foo" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_kv_delete - - - name: "Command consul members" - ansible.builtin.command: "consul members" - environment: - CONSUL_HTTP_TOKEN: "{{ acl_token }}" - changed_when: false - register: consul_members - - - name: "Verify consul interaction" - ansible.builtin.assert: - that: - - "'instance' in consul_members.stdout" - - consul_kv_put.stdout == 'Success! Data written to: foo' - - consul_kv_get.stdout == 'bar' - - consul_kv_delete.stdout == 'Success! Deleted key: foo' diff --git a/roles/hashicorp_consul/tasks/configure.yml b/roles/hashicorp_consul/tasks/configure.yml deleted file mode 100644 index 479f447..0000000 --- a/roles/hashicorp_consul/tasks/configure.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -# task/configure file for hashicorp_consul -- name: "Ensure default consul.hcl is removed" - ansible.builtin.file: - path: /etc/consul.d/consul.hcl - state: absent - -- name: "Copy consul.json template" - ansible.builtin.template: - src: consul.json.j2 - dest: "{{ hashi_consul_config_dir }}/consul.json" - owner: "{{ hashi_consul_user }}" - group: "{{ hashi_consul_group }}" - mode: '0600' - notify: - - "systemctl-enable-consul" - - "systemctl-restart-consul" - -- name: "Create consul.env" - ansible.builtin.template: - src: consul.env.j2 - dest: "{{ hashi_consul_config_dir }}/consul.env" - owner: "{{ hashi_consul_user }}" - group: "{{ hashi_consul_group }}" - mode: '0600' - -- name: "Copy extra configuration files" - when: hashi_consul_extra_files - block: - - name: "Create directory {{ hashi_consul_extra_files_dst }}" - ansible.builtin.file: - path: "{{ hashi_consul_extra_files_dst }}" - state: directory - owner: "{{ hashi_consul_user }}" - group: "{{ hashi_consul_group }}" - mode: '0755' - - - name: "Copy extra configuration files" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ hashi_consul_extra_files_dst }}/{{ (item | basename).split('.')[:-1] | join('.')}}" - owner: "{{ hashi_consul_user }}" - group: "{{ hashi_consul_group }}" - mode: '0600' - with_fileglob: - - "{{ hashi_consul_extra_files_src }}/*" diff --git a/roles/hashicorp_consul/tasks/install.yml b/roles/hashicorp_consul/tasks/install.yml deleted file mode 100644 index 0fa8b09..0000000 --- a/roles/hashicorp_consul/tasks/install.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# task/install file for hashicorp_consul -- name: "Configure hashicorp repository" - ansible.builtin.include_role: - name: ednxzu.manage_repositories - vars: - manage_repositories_enable_default_repo: false - manage_repositories_enable_custom_repo: true - manage_repositories_custom_repo: "{{ hashi_consul_repository }}" - -- name: "Install consul:{{ hashi_consul_version }}" - ansible.builtin.include_role: - name: ednxzu.manage_apt_packages - vars: - manage_apt_packages_list: "{{ hashi_consul_packages }}" - -- name: "Copy systemd service file for consul" - ansible.builtin.template: - src: "consul.service.j2" - dest: "/etc/systemd/system/consul.service" - owner: root - group: root - mode: '0644' - notify: - - "systemctl-daemon-reload" diff --git a/roles/hashicorp_consul/tasks/install_envoy.yml b/roles/hashicorp_consul/tasks/install_envoy.yml deleted file mode 100644 index 89a085a..0000000 --- a/roles/hashicorp_consul/tasks/install_envoy.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# task/install_envoy file for hashicorp_consul -- name: "Get release for envoy:{{ hashi_consul_envoy_version }}" - vars: - _envoy_url_ext: "{% if hashi_consul_envoy_version == 'latest'%}releases{% else %}releases/tags{% endif %}" - ansible.builtin.uri: - url: "{{ hashi_consul_envoy_github_api }}/{{ _envoy_url_ext }}/{{ hashi_consul_envoy_version }}" - return_content: true - register: _envoy_new_release - -- name: "Check if envoy is already installed" - ansible.builtin.stat: - path: "{{ hashi_consul_data_dir }}/envoy/version" - changed_when: false - check_mode: false - register: _envoy_is_installed - - -- name: "Check current envoy version" - ansible.builtin.command: "cat {{ hashi_consul_data_dir }}/envoy/version" - changed_when: false - check_mode: false - register: _envoy_old_release - when: _envoy_is_installed.stat.exists - -- name: "Set facts for wanted envoy release" - ansible.builtin.set_fact: - hashi_consul_envoy_wanted_version: "{{ _envoy_new_release.json['tag_name']|regex_replace('v', '') }}" - when: _envoy_new_release.json is defined - and (_envoy_new_release.json | length > 0) - -- name: "Set facts for current envoy release" - ansible.builtin.set_fact: - hashi_consul_envoy_current_version: "{{ _envoy_old_release.stdout | regex_replace('v', '') }}" - when: _envoy_old_release.stdout is defined - and (_envoy_old_release.stdout | length > 0) - -- name: "Create envoy directory" - ansible.builtin.file: - path: "{{ hashi_consul_data_dir }}/envoy" - state: directory - mode: "0775" - -- name: "Install envoy" - when: hashi_consul_envoy_current_version is not defined - or hashi_consul_envoy_wanted_version not in hashi_consul_envoy_current_version - block: - - name: "Remove old compose binary if different" - ansible.builtin.file: - path: "{{ hashi_consul_envoy_path }}" - state: absent - register: _envoy_binary_removed - - - name: "Download and install envoy version:{{ hashi_consul_envoy_version }}" - ansible.builtin.get_url: - url: "{{ hashi_consul_envoy_github_url }}/releases/download/v{{ hashi_consul_envoy_wanted_version }}/envoy-{{ hashi_consul_envoy_wanted_version }}-linux-{{ hashi_consul_envoy_arch }} " - dest: "{{ hashi_consul_envoy_path }}" - owner: root - group: root - mode: '0755' - - - name: "Update version file" - ansible.builtin.copy: - content: "{{ hashi_consul_envoy_wanted_version }}" - dest: "{{ hashi_consul_data_dir }}/envoy/version" - mode: "0600" diff --git a/roles/hashicorp_consul/tasks/main.yml b/roles/hashicorp_consul/tasks/main.yml deleted file mode 100644 index a26499e..0000000 --- a/roles/hashicorp_consul/tasks/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -# task/main file for hashicorp_consul -- name: "Import prerequisites.yml" - ansible.builtin.include_tasks: prerequisites.yml - -- name: "Import install.yml" - ansible.builtin.include_tasks: install.yml - -- name: "Import install_envoy.yml" - ansible.builtin.include_tasks: install_envoy.yml - when: hashi_consul_envoy_install - -- name: "Import configure.yml" - ansible.builtin.include_tasks: configure.yml diff --git a/roles/hashicorp_consul/tasks/prerequisites.yml b/roles/hashicorp_consul/tasks/prerequisites.yml deleted file mode 100644 index 7d37263..0000000 --- a/roles/hashicorp_consul/tasks/prerequisites.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# task/prerequisites file for hashicorp_consul -- name: "Create group {{ hashi_consul_group }}" - ansible.builtin.group: - name: "{{ hashi_consul_group }}" - state: present - -- name: "Create user {{ hashi_consul_user }}" - ansible.builtin.user: - name: "{{ hashi_consul_user }}" - group: "{{ hashi_consul_group }}" - shell: /bin/false - state: present - -- name: "Create directory {{ hashi_consul_config_dir }}" - ansible.builtin.file: - path: "{{ hashi_consul_config_dir }}" - state: directory - owner: "{{ hashi_consul_user }}" - group: "{{ hashi_consul_group }}" - mode: '0755' - -- name: "Create directory {{ hashi_consul_data_dir}}" - ansible.builtin.file: - path: "{{ hashi_consul_data_dir }}" - state: directory - owner: "{{ hashi_consul_user }}" - group: "{{ hashi_consul_group }}" - mode: '0755' diff --git a/roles/hashicorp_consul/templates/consul.env.j2 b/roles/hashicorp_consul/templates/consul.env.j2 deleted file mode 100644 index 3acc2ff..0000000 --- a/roles/hashicorp_consul/templates/consul.env.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} -{% for item in hashi_consul_env_variables %} -{{ item|upper }}="{{ hashi_consul_env_variables[item] }}" -{% endfor %} \ No newline at end of file diff --git a/roles/hashicorp_consul/templates/consul.json.j2 b/roles/hashicorp_consul/templates/consul.json.j2 deleted file mode 100644 index 7cf757d..0000000 --- a/roles/hashicorp_consul/templates/consul.json.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ hashi_consul_configuration|to_nice_json }} diff --git a/roles/hashicorp_consul/templates/consul.service.j2 b/roles/hashicorp_consul/templates/consul.service.j2 deleted file mode 100644 index 86dea55..0000000 --- a/roles/hashicorp_consul/templates/consul.service.j2 +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Consul -Documentation=https://developer.hashicorp.com/consul/docs -Requires=network-online.target -After=network-online.target -ConditionFileNotEmpty={{ hashi_consul_config_dir }}/consul.json - -[Service] -EnvironmentFile=-{{ hashi_consul_config_dir }}/consul.env -User={{ hashi_consul_user }} -Group={{ hashi_consul_group }} -ExecStart=/usr/bin/consul agent -config-dir={{ hashi_consul_config_dir }} -ExecReload=/bin/kill --signal HUP $MAINPID -KillMode=process -KillSignal=SIGTERM -Restart=on-failure -LimitNOFILE=65536 - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/hashicorp_consul/vars/main.yml b/roles/hashicorp_consul/vars/main.yml deleted file mode 100644 index e9a6b51..0000000 --- a/roles/hashicorp_consul/vars/main.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# vars file for hashicorp_consul -hashi_consul_user: consul -hashi_consul_group: consul -hashi_consul_config_dir: "/etc/consul.d" -hashi_consul_envoy_github_api: https://api.github.com/repos/envoyproxy/envoy -hashi_consul_envoy_github_url: https://github.com/envoyproxy/envoy -hashi_consul_envoy_path: "/usr/local/bin/envoy" -hashi_consul_envoy_arch_map: - x86_64: 'x86_64' - aarch64: 'aarch64' -hashi_consul_envoy_arch: "{{ hashi_consul_envoy_arch_map[ansible_architecture] | default(ansible_architecture) }}" -hashi_consul_repository: - - name: hashicorp - uri: "https://apt.releases.hashicorp.com" - comments: "hashicorp repository" - types: - - deb - suites: - - "{{ ansible_distribution_release }}" - components: - - main - options: - Signed-By: "https://apt.releases.hashicorp.com/gpg" -hashi_consul_packages: - - name: consul - version: "{{ hashi_consul_version }}" - state: "{% if hashi_consul_auto_update %}latest{% else %}present{% endif %}" diff --git a/roles/hashicorp_nomad/LICENSE b/roles/hashicorp_nomad/LICENSE deleted file mode 100644 index c9a37e5..0000000 --- a/roles/hashicorp_nomad/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2017 Bertrand Lanson - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/roles/hashicorp_nomad/README.md b/roles/hashicorp_nomad/README.md deleted file mode 100644 index 79ab3ed..0000000 --- a/roles/hashicorp_nomad/README.md +++ /dev/null @@ -1,107 +0,0 @@ -hashicorp_nomad -========= -> This repository is only a mirror. Development and testing is done on a private gitea server. - -This role install and configure nomad on **debian-based** distributions. - -Requirements ------------- - -None. - -Role Variables --------------- -Available variables are listed below, along with default values. A sample file for the default values is available in `default/hashicorp_nomad.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. - -```yaml -hashi_nomad_install: true # by default, set to true -``` -This variable defines if the nomad package is to be installed or not before configuring. If you install nomad using another task, you can set this to `false`. - -```yaml -hashi_nomad_auto_update: false # by default, set to false -``` -This variable allows you to choose to automatically update nomad if a newer version is available. Updating nomad is usually pretty safe if done on a regular basis, but for better control over the upgrade process, see `hashi_nomad_version`. - -```yaml -hashi_nomad_cni_plugins_install: true # by default, set to true -``` -This variable defines whether or not to install the CNI plugins on the host. Defaults to `true`. - -```yaml -hashi_nomad_start_service: true -``` -This variable defines if the nomad service should be started once it has been configured. This is usefull in case you're using this role to build golden images, in which case you might want to only enable the service, to have it start on the next boot (when the image is launched) - -```yaml -hashi_nomad_cni_plugins_version: latest # by default, set to latest -``` -This variable defines the version of the CNI plugins to install. - -```yaml -hashi_nomad_cni_plugins_install_path: /opt/cni/bin -``` -This variable defines where to install the CNI plugins. Note that it should be referenced in the nomad configuration. - -```yaml -hashi_nomad_version: latest # by default, set to latest -``` -This variable specifies the version of nomad to install when `hashi_nomad_install` is set to `true`. The version to specify is the version of the package on the hashicorp repository (`1.5.1-1` for example). This can be found by running `apt-cache madison consul` on a machine with the repository installed. - -```yaml -hashi_nomad_deploy_method: host # by default, set to host -``` -This variable defines the method of deployment of nomad. The `host` method installs the binary directly on the host, and runs nomad as a systemd service. The `docker` method install nomad as a docker container. -> Currently, only the `host` method is available, the `docker` method will be added later. - -```yaml -hashi_nomad_env_variables: # by default, set to empty - env_var: value -``` -This value is a list of key/value that will populate the `nomad.env` file. You do not have to capitalize the KEYS, as it will be done automatically. - -```yaml -hashi_nomad_extra_files: false # by default, set to false -``` -This variable defines whether or not there is extra configuration files to copy to the target. If there are, these extra files are expected to be jinja2 templates located all in the same directory, and will be copied to the specified directory on the target machine. - -```yaml -hashi_nomad_extra_files_src: /tmp/extra_files # by default, set to /tmp/extra_files -``` -This variable defines the source directory (without the trailing /) for the extra files to be copied in case there are some. - -```yaml -hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files # by default, set to /etc/nomad.d/extra_files -``` -This variable defines the destination directory (without the trailing /) for the extra files to be copied. - -```yaml -hashi_nomad_configuration: {} # by default, set to a simple configuration -``` -This variable sets all of the configuration parameters for nomad. For more information on all of them, please check the [documentation](https://developer.hashicorp.com/nomad/docs/configuration). This variable is parsed and converted to json format to create the config file, so each key and value should be set according to the documentation. This method of passing configuration allows for compatibility with every configuration parameters that nomad has to offer. The defaults are simply here to deploy a simple, single-node nomad server without much configuration, and should NOT be used in production. You will want to edit this to deploy production-ready clusters. - -Dependencies ------------- - -`ednxzu.manage_repositories` to configure the hashicorp apt repository. -`ednxzu.manage_apt_packages` to install nomad. - -Example Playbook ----------------- - -```yaml -# calling the role inside a playbook with either the default or group_vars/host_vars -- hosts: servers - roles: - - ednxzu.hashicorp_nomad -``` - -License -------- - -MIT / BSD - -Author Information ------------------- - -This role was created by Bertrand Lanson in 2023. diff --git a/roles/hashicorp_nomad/defaults/hashicorp_nomad.yml.sample b/roles/hashicorp_nomad/defaults/hashicorp_nomad.yml.sample deleted file mode 100644 index 86f54db..0000000 --- a/roles/hashicorp_nomad/defaults/hashicorp_nomad.yml.sample +++ /dev/null @@ -1,86 +0,0 @@ ---- -# hashi_nomad_install: true -# hashi_nomad_auto_update: false -# hashi_nomad_cni_plugins_install: true -# hashi_nomad_start_service: true -# hashi_nomad_cni_plugins_version: latest -# hashi_nomad_cni_plugins_install_path: "/opt/cni/bin" -# hashi_nomad_version: latest -# hashi_nomad_deploy_method: host # deployment method, either host or docker -# hashi_nomad_env_variables: {} -# hashi_nomad_data_dir: /opt/nomad -# hashi_nomad_extra_files: false -# hashi_nomad_extra_files_src: /tmp/extra_files -# hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files -# #! nomad configuration -# hashi_nomad_configuration: -# bind_addr: "0.0.0.0" -# datacenter: dc1 -# log_level: INFO -# leave_on_terminate: false -# data_dir: "{{ hashi_nomad_data_dir }}" -# advertise: -# http: "{{ ansible_default_ipv4.address }}" -# rpc: "{{ ansible_default_ipv4.address }}" -# serf: "{{ ansible_default_ipv4.address }}" -# server: -# enabled: true -# bootstrap_expect: 1 -# server_join: -# retry_join: -# - "{{ ansible_default_ipv4.address }}" -# client: -# enabled: false -# node_class: default -# reserved: -# cpu: 500 -# memory: 300 -# cni_path: "{{ hashi_nomad_cni_plugins_install_path }}" -# bridge_network_name: nomad -# bridge_network_subnet: "172.26.64.0/20" -# ui: -# enabled: true -# acl: -# enabled: false -# token_ttl: 30s -# policy_ttl: 30s -# role_ttl: 30s -# token_min_expiration_ttl: 30s -# token_max_expiration_ttl: 24h -# telemetry: -# collection_interval: 1s -# disable_hostname: false -# use_node_name: false -# publish_allocation_metrics: false -# publish_node_metrics: false -# prefix_filter: [] -# disable_dispatched_job_summary_metrics: false -# prometheus_metrics: false -# # tls: -# # http: false -# # rpc: false -# # ca_file: "{{ hashi_nomad_data_dir }}/tls/ca.pem" -# # cert_file: "{{ hashi_nomad_data_dir }}/tls/cert.pem" -# # key_file: "{{ hashi_nomad_data_dir }}/tls/key.pem" -# # plugin: -# # docker: -# # config: -# # endpoint: "unix:///var/run/docker.sock" -# # allow_privileged: false -# # allow_caps: ["all"] -# # volumes: -# # enabled: true -# # consul: -# # address: "127.0.0.1:8500" -# # token: "" -# # auto_advertise: true -# # vault: -# # address: http://vault.service.consul:8200 -# # token: "" -# # create_from_role: nomad-cluster -# # plugin: -# # docker: -# # endpoint: "unix:///var/run/docker.sock" -# # allow_privileged: false -# # allow_caps: ["all"] -# # volumes_enabled: true diff --git a/roles/hashicorp_nomad/defaults/main.yml b/roles/hashicorp_nomad/defaults/main.yml deleted file mode 100644 index badedb1..0000000 --- a/roles/hashicorp_nomad/defaults/main.yml +++ /dev/null @@ -1,87 +0,0 @@ ---- -# defaults file for hashicorp_nomad -hashi_nomad_install: true -hashi_nomad_auto_update: false -hashi_nomad_cni_plugins_install: true -hashi_nomad_start_service: true -hashi_nomad_cni_plugins_version: latest -hashi_nomad_cni_plugins_install_path: /opt/cni/bin -hashi_nomad_version: latest -hashi_nomad_deploy_method: host # deployment method, either host or docker -hashi_nomad_env_variables: {} -hashi_nomad_data_dir: /opt/nomad -hashi_nomad_extra_files: false -hashi_nomad_extra_files_src: /tmp/extra_files -hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files -#! nomad configuration -hashi_nomad_configuration: - bind_addr: "0.0.0.0" - datacenter: dc1 - log_level: INFO - leave_on_terminate: false - data_dir: "{{ hashi_nomad_data_dir }}" - advertise: - http: "{{ ansible_default_ipv4.address }}" - rpc: "{{ ansible_default_ipv4.address }}" - serf: "{{ ansible_default_ipv4.address }}" - server: - enabled: true - bootstrap_expect: 1 - server_join: - retry_join: - - "{{ ansible_default_ipv4.address }}" - client: - enabled: false - node_class: default - reserved: - cpu: 500 - memory: 300 - cni_path: "{{ hashi_nomad_cni_plugins_install_path }}" - bridge_network_name: nomad - bridge_network_subnet: "172.26.64.0/20" - ui: - enabled: true - acl: - enabled: false - token_ttl: 30s - policy_ttl: 30s - role_ttl: 30s - token_min_expiration_ttl: 30s - token_max_expiration_ttl: 24h - telemetry: - collection_interval: 1s - disable_hostname: false - use_node_name: false - publish_allocation_metrics: false - publish_node_metrics: false - prefix_filter: [] - disable_dispatched_job_summary_metrics: false - prometheus_metrics: false - # tls: - # http: false - # rpc: false - # ca_file: "{{ hashi_nomad_data_dir }}/tls/ca.pem" - # cert_file: "{{ hashi_nomad_data_dir }}/tls/cert.pem" - # key_file: "{{ hashi_nomad_data_dir }}/tls/key.pem" - # plugin: - # docker: - # config: - # endpoint: "unix:///var/run/docker.sock" - # allow_privileged: false - # allow_caps: ["all"] - # volumes: - # enabled: true - # consul: - # address: "127.0.0.1:8500" - # token: "" - # auto_advertise: true - # vault: - # address: http://vault.service.consul:8200 - # token: "" - # create_from_role: nomad-cluster - # plugin: - # docker: - # endpoint: "unix:///var/run/docker.sock" - # allow_privileged: false - # allow_caps: ["all"] - # volumes_enabled: true diff --git a/roles/hashicorp_nomad/handlers/main.yml b/roles/hashicorp_nomad/handlers/main.yml deleted file mode 100644 index d093dd6..0000000 --- a/roles/hashicorp_nomad/handlers/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# handlers file for hashicorp_nomad -- name: "Reload systemd file" - ansible.builtin.systemd: - daemon_reload: true - listen: "systemctl-daemon-reload" - -- name: "Enable nomad service" - ansible.builtin.service: - name: nomad - enabled: true - listen: "systemctl-enable-nomad" - -- name: "Start nomad service" - ansible.builtin.service: - name: nomad - state: restarted - listen: "systemctl-restart-nomad" - throttle: 1 - when: hashi_nomad_start_service diff --git a/roles/hashicorp_nomad/meta/main.yml b/roles/hashicorp_nomad/meta/main.yml deleted file mode 100644 index 7f31c31..0000000 --- a/roles/hashicorp_nomad/meta/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# meta file for hashicorp_nomad -galaxy_info: - namespace: 'ednxzu' - role_name: 'hashicorp_nomad' - author: 'Bertrand Lanson' - description: 'Install and configure hashicorp nomad for debian-based distros.' - license: 'license (BSD, MIT)' - min_ansible_version: '2.10' - platforms: - - name: Ubuntu - versions: - - focal - - jammy - - name: Debian - versions: - - bullseye - - bookworm - galaxy_tags: - - 'ubuntu' - - 'debian' - - 'hashicorp' - - 'nomad' - -dependencies: [] diff --git a/roles/hashicorp_nomad/molecule/default/converge.yml b/roles/hashicorp_nomad/molecule/default/converge.yml deleted file mode 100644 index 4dfaa5b..0000000 --- a/roles/hashicorp_nomad/molecule/default/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_nomad" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_nomad" diff --git a/roles/hashicorp_nomad/molecule/default/molecule.yml b/roles/hashicorp_nomad/molecule/default/molecule.yml deleted file mode 100644 index 49efc7f..0000000 --- a/roles/hashicorp_nomad/molecule/default/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_nomad/molecule/default/requirements.yml b/roles/hashicorp_nomad/molecule/default/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_nomad/molecule/default/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_nomad/molecule/default/verify.yml b/roles/hashicorp_nomad/molecule/default/verify.yml deleted file mode 100644 index 6b173a9..0000000 --- a/roles/hashicorp_nomad/molecule/default/verify.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: nomad user and group" - block: - - name: "Getent user nomad" - ansible.builtin.getent: - database: passwd - key: nomad - register: nomad_user - - - name: "Getent group nomad" - ansible.builtin.getent: - database: group - key: nomad - register: nomad_group - - - name: "Verify nomad user and group" - ansible.builtin.assert: - that: - - not nomad_user.failed - - not nomad_group.failed - - "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()" - - "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'nomad' in nomad_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/nomad.d" - block: - - name: "Stat directory /etc/nomad.d" - ansible.builtin.stat: - path: "/etc/nomad.d" - register: stat_etc_nomad_d - - - name: "Stat file /etc/nomad.d/nomad.env" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.env" - register: stat_etc_nomad_d_nomad_env - - - name: "Stat file /etc/nomad.d/nomad.json" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.json" - register: stat_etc_nomad_d_nomad_json - - - name: "Slurp file /etc/nomad.d/nomad.json" - ansible.builtin.slurp: - src: "/etc/nomad.d/nomad.json" - register: slurp_etc_nomad_d_nomad_json - - - name: "Verify directory /etc/nomad.d" - ansible.builtin.assert: - that: - - stat_etc_nomad_d.stat.exists - - stat_etc_nomad_d.stat.isdir - - stat_etc_nomad_d.stat.pw_name == 'nomad' - - stat_etc_nomad_d.stat.gr_name == 'nomad' - - stat_etc_nomad_d.stat.mode == '0755' - - stat_etc_nomad_d_nomad_env.stat.exists - - stat_etc_nomad_d_nomad_env.stat.isreg - - stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.mode == '0600' - - stat_etc_nomad_d_nomad_json.stat.exists - - stat_etc_nomad_d_nomad_json.stat.isreg - - stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.mode == '0600' - - slurp_etc_nomad_d_nomad_json.content != '' - - - name: "Test: directory /opt/nomad" - block: - - name: "Stat directory /opt/nomad" - ansible.builtin.stat: - path: "/opt/nomad" - register: stat_opt_nomad - - - name: "Verify directory /opt/nomad" - ansible.builtin.assert: - that: - - stat_opt_nomad.stat.exists - - stat_opt_nomad.stat.isdir - - stat_opt_nomad.stat.pw_name == 'nomad' - - stat_opt_nomad.stat.gr_name == 'nomad' - - stat_opt_nomad.stat.mode == '0755' - - - name: "Test: service nomad" - block: - - name: "Get service nomad" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/nomad.service" - ansible.builtin.stat: - path: "/etc/systemd/system/nomad.service" - register: stat_etc_systemd_system_nomad_service - - - name: "Slurp file /etc/systemd/system/nomad.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/nomad.service" - register: slurp_etc_systemd_system_nomad_service - - - name: "Verify service nomad" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_nomad_service.stat.exists - - stat_etc_systemd_system_nomad_service.stat.isreg - - stat_etc_systemd_system_nomad_service.stat.pw_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.gr_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.mode == '0644' - - slurp_etc_systemd_system_nomad_service.content != '' - - ansible_facts.services['nomad.service'] is defined - - ansible_facts.services['nomad.service']['source'] == 'systemd' - - ansible_facts.services['nomad.service']['state'] == 'running' - - ansible_facts.services['nomad.service']['status'] == 'enabled' - - - name: "Test: interaction nomad" - block: - - name: "Command nomad var put" - ansible.builtin.command: "nomad var put secret/foobar foo=bar" - changed_when: false - register: nomad_var_put - - - name: "Command nomad var get" - ansible.builtin.command: "nomad var get secret/foobar" - changed_when: false - register: nomad_var_get - - - name: "Command nomad var purge" - ansible.builtin.command: "nomad var purge secret/foobar" - changed_when: false - register: nomad_var_purge - - - name: "Command nomad server members" - ansible.builtin.command: "nomad server members" - changed_when: false - register: nomad_server_members - - - name: "Verify nomad interaction" - ansible.builtin.assert: - that: - - "'instance.global' in nomad_server_members.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout" - - nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!' diff --git a/roles/hashicorp_nomad/molecule/default_vagrant/converge.yml b/roles/hashicorp_nomad/molecule/default_vagrant/converge.yml deleted file mode 100644 index 4dfaa5b..0000000 --- a/roles/hashicorp_nomad/molecule/default_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_nomad" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_nomad" diff --git a/roles/hashicorp_nomad/molecule/default_vagrant/molecule.yml b/roles/hashicorp_nomad/molecule/default_vagrant/molecule.yml deleted file mode 100644 index 2b02360..0000000 --- a/roles/hashicorp_nomad/molecule/default_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_nomad/molecule/default_vagrant/requirements.yml b/roles/hashicorp_nomad/molecule/default_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_nomad/molecule/default_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_nomad/molecule/default_vagrant/verify.yml b/roles/hashicorp_nomad/molecule/default_vagrant/verify.yml deleted file mode 100644 index 6b173a9..0000000 --- a/roles/hashicorp_nomad/molecule/default_vagrant/verify.yml +++ /dev/null @@ -1,146 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: nomad user and group" - block: - - name: "Getent user nomad" - ansible.builtin.getent: - database: passwd - key: nomad - register: nomad_user - - - name: "Getent group nomad" - ansible.builtin.getent: - database: group - key: nomad - register: nomad_group - - - name: "Verify nomad user and group" - ansible.builtin.assert: - that: - - not nomad_user.failed - - not nomad_group.failed - - "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()" - - "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'nomad' in nomad_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/nomad.d" - block: - - name: "Stat directory /etc/nomad.d" - ansible.builtin.stat: - path: "/etc/nomad.d" - register: stat_etc_nomad_d - - - name: "Stat file /etc/nomad.d/nomad.env" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.env" - register: stat_etc_nomad_d_nomad_env - - - name: "Stat file /etc/nomad.d/nomad.json" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.json" - register: stat_etc_nomad_d_nomad_json - - - name: "Slurp file /etc/nomad.d/nomad.json" - ansible.builtin.slurp: - src: "/etc/nomad.d/nomad.json" - register: slurp_etc_nomad_d_nomad_json - - - name: "Verify directory /etc/nomad.d" - ansible.builtin.assert: - that: - - stat_etc_nomad_d.stat.exists - - stat_etc_nomad_d.stat.isdir - - stat_etc_nomad_d.stat.pw_name == 'nomad' - - stat_etc_nomad_d.stat.gr_name == 'nomad' - - stat_etc_nomad_d.stat.mode == '0755' - - stat_etc_nomad_d_nomad_env.stat.exists - - stat_etc_nomad_d_nomad_env.stat.isreg - - stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.mode == '0600' - - stat_etc_nomad_d_nomad_json.stat.exists - - stat_etc_nomad_d_nomad_json.stat.isreg - - stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.mode == '0600' - - slurp_etc_nomad_d_nomad_json.content != '' - - - name: "Test: directory /opt/nomad" - block: - - name: "Stat directory /opt/nomad" - ansible.builtin.stat: - path: "/opt/nomad" - register: stat_opt_nomad - - - name: "Verify directory /opt/nomad" - ansible.builtin.assert: - that: - - stat_opt_nomad.stat.exists - - stat_opt_nomad.stat.isdir - - stat_opt_nomad.stat.pw_name == 'nomad' - - stat_opt_nomad.stat.gr_name == 'nomad' - - stat_opt_nomad.stat.mode == '0755' - - - name: "Test: service nomad" - block: - - name: "Get service nomad" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/nomad.service" - ansible.builtin.stat: - path: "/etc/systemd/system/nomad.service" - register: stat_etc_systemd_system_nomad_service - - - name: "Slurp file /etc/systemd/system/nomad.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/nomad.service" - register: slurp_etc_systemd_system_nomad_service - - - name: "Verify service nomad" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_nomad_service.stat.exists - - stat_etc_systemd_system_nomad_service.stat.isreg - - stat_etc_systemd_system_nomad_service.stat.pw_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.gr_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.mode == '0644' - - slurp_etc_systemd_system_nomad_service.content != '' - - ansible_facts.services['nomad.service'] is defined - - ansible_facts.services['nomad.service']['source'] == 'systemd' - - ansible_facts.services['nomad.service']['state'] == 'running' - - ansible_facts.services['nomad.service']['status'] == 'enabled' - - - name: "Test: interaction nomad" - block: - - name: "Command nomad var put" - ansible.builtin.command: "nomad var put secret/foobar foo=bar" - changed_when: false - register: nomad_var_put - - - name: "Command nomad var get" - ansible.builtin.command: "nomad var get secret/foobar" - changed_when: false - register: nomad_var_get - - - name: "Command nomad var purge" - ansible.builtin.command: "nomad var purge secret/foobar" - changed_when: false - register: nomad_var_purge - - - name: "Command nomad server members" - ansible.builtin.command: "nomad server members" - changed_when: false - register: nomad_server_members - - - name: "Verify nomad interaction" - ansible.builtin.assert: - that: - - "'instance.global' in nomad_server_members.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout" - - nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!' diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled/converge.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled/converge.yml deleted file mode 100644 index 4dfaa5b..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_nomad" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_nomad" diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled/group_vars/all.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled/group_vars/all.yml deleted file mode 100644 index 2ca2b54..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled/group_vars/all.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -hashi_nomad_install: true -hashi_nomad_auto_update: true -hashi_nomad_cni_plugins_install: true -hashi_nomad_start_service: true -hashi_nomad_cni_plugins_version: latest -hashi_nomad_cni_plugins_install_path: "/opt/cni/bin" -hashi_nomad_version: latest -hashi_nomad_deploy_method: host # deployment method, either host or docker -hashi_nomad_env_variables: {} -hashi_nomad_data_dir: /opt/nomad -hashi_nomad_extra_files: true -hashi_nomad_extra_files_src: /tmp/extra_files -hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files -#! nomad configuration -hashi_nomad_configuration: - bind_addr: "0.0.0.0" - datacenter: dc1 - log_level: INFO - leave_on_terminate: false - data_dir: "{{ hashi_nomad_data_dir }}" - advertise: - http: "{{ ansible_default_ipv4.address }}" - rpc: "{{ ansible_default_ipv4.address }}" - serf: "{{ ansible_default_ipv4.address }}" - server: - enabled: true - bootstrap_expect: 1 - server_join: - retry_join: - - "{{ ansible_default_ipv4.address }}" - client: - enabled: false - node_class: default - reserved: - cpu: 500 - memory: 300 - cni_path: "{{ hashi_nomad_cni_plugins_install_path }}" - bridge_network_name: nomad - bridge_network_subnet: "172.26.64.0/20" - ui: - enabled: true - acl: - enabled: true - token_ttl: 30s - policy_ttl: 30s - role_ttl: 30s - token_min_expiration_ttl: 30s - token_max_expiration_ttl: 24h - telemetry: - collection_interval: 1s - disable_hostname: false - use_node_name: false - publish_allocation_metrics: false - publish_node_metrics: false - prefix_filter: [] - disable_dispatched_job_summary_metrics: false - prometheus_metrics: false - # tls: - # http: false - # rpc: false - # ca_file: "{{ hashi_nomad_data_dir }}/tls/ca.pem" - # cert_file: "{{ hashi_nomad_data_dir }}/tls/cert.pem" - # key_file: "{{ hashi_nomad_data_dir }}/tls/key.pem" - # plugin: - # docker: - # config: - # endpoint: "unix:///var/run/docker.sock" - # allow_privileged: false - # allow_caps: ["all"] - # volumes: - # enabled: true - # consul: - # address: "127.0.0.1:8500" - # token: "" - # auto_advertise: true - # vault: - # address: http://vault.service.consul:8200 - # token: "" - # create_from_role: nomad-cluster - # plugin: - # docker: - # endpoint: "unix:///var/run/docker.sock" - # allow_privileged: false - # allow_caps: ["all"] - # volumes_enabled: true diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled/molecule.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled/molecule.yml deleted file mode 100644 index 59630f1..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_acl_enabled - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled/requirements.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled/verify.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled/verify.yml deleted file mode 100644 index 71ad567..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled/verify.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: nomad user and group" - block: - - name: "Getent user nomad" - ansible.builtin.getent: - database: passwd - key: nomad - register: nomad_user - - - name: "Getent group nomad" - ansible.builtin.getent: - database: group - key: nomad - register: nomad_group - - - name: "Verify nomad user and group" - ansible.builtin.assert: - that: - - not nomad_user.failed - - not nomad_group.failed - - "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()" - - "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'nomad' in nomad_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/nomad.d" - block: - - name: "Stat directory /etc/nomad.d" - ansible.builtin.stat: - path: "/etc/nomad.d" - register: stat_etc_nomad_d - - - name: "Stat file /etc/nomad.d/nomad.env" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.env" - register: stat_etc_nomad_d_nomad_env - - - name: "Stat file /etc/nomad.d/nomad.json" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.json" - register: stat_etc_nomad_d_nomad_json - - - name: "Slurp file /etc/nomad.d/nomad.json" - ansible.builtin.slurp: - src: "/etc/nomad.d/nomad.json" - register: slurp_etc_nomad_d_nomad_json - - - name: "Verify directory /etc/nomad.d" - ansible.builtin.assert: - that: - - stat_etc_nomad_d.stat.exists - - stat_etc_nomad_d.stat.isdir - - stat_etc_nomad_d.stat.pw_name == 'nomad' - - stat_etc_nomad_d.stat.gr_name == 'nomad' - - stat_etc_nomad_d.stat.mode == '0755' - - stat_etc_nomad_d_nomad_env.stat.exists - - stat_etc_nomad_d_nomad_env.stat.isreg - - stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.mode == '0600' - - stat_etc_nomad_d_nomad_json.stat.exists - - stat_etc_nomad_d_nomad_json.stat.isreg - - stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.mode == '0600' - - slurp_etc_nomad_d_nomad_json.content != '' - - - name: "Test: directory /opt/nomad" - block: - - name: "Stat directory /opt/nomad" - ansible.builtin.stat: - path: "/opt/nomad" - register: stat_opt_nomad - - - name: "Verify directory /opt/nomad" - ansible.builtin.assert: - that: - - stat_opt_nomad.stat.exists - - stat_opt_nomad.stat.isdir - - stat_opt_nomad.stat.pw_name == 'nomad' - - stat_opt_nomad.stat.gr_name == 'nomad' - - stat_opt_nomad.stat.mode == '0755' - - - name: "Test: service nomad" - block: - - name: "Get service nomad" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/nomad.service" - ansible.builtin.stat: - path: "/etc/systemd/system/nomad.service" - register: stat_etc_systemd_system_nomad_service - - - name: "Slurp file /etc/systemd/system/nomad.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/nomad.service" - register: slurp_etc_systemd_system_nomad_service - - - name: "Verify service nomad" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_nomad_service.stat.exists - - stat_etc_systemd_system_nomad_service.stat.isreg - - stat_etc_systemd_system_nomad_service.stat.pw_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.gr_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.mode == '0644' - - slurp_etc_systemd_system_nomad_service.content != '' - - ansible_facts.services['nomad.service'] is defined - - ansible_facts.services['nomad.service']['source'] == 'systemd' - - ansible_facts.services['nomad.service']['state'] == 'running' - - ansible_facts.services['nomad.service']['status'] == 'enabled' - - - name: "Test: bootstrap acl nomad" - block: - - name: "Command nomad acl bootstrap" - ansible.builtin.command: "nomad acl bootstrap -json" - changed_when: false - register: nomad_acl_bootstrap - - - name: "Test: interaction nomad" - vars: - acl_token: "{{ nomad_acl_bootstrap.stdout|from_json|json_query('SecretID') }}" - block: - - name: "Command nomad var put" - ansible.builtin.command: "nomad var put secret/foobar foo=bar" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_var_put - - - name: "Command nomad var get" - ansible.builtin.command: "nomad var get secret/foobar" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_var_get - - - name: "Command nomad var purge" - ansible.builtin.command: "nomad var purge secret/foobar" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_var_purge - - - name: "Command nomad server members" - ansible.builtin.command: "nomad server members" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_server_members - - - name: "Verify nomad interaction" - ansible.builtin.assert: - that: - - "'instance.global' in nomad_server_members.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout" - - nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!' diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/converge.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/converge.yml deleted file mode 100644 index 4dfaa5b..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_nomad" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_nomad" diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/group_vars/all.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/group_vars/all.yml deleted file mode 100644 index 2ca2b54..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/group_vars/all.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -hashi_nomad_install: true -hashi_nomad_auto_update: true -hashi_nomad_cni_plugins_install: true -hashi_nomad_start_service: true -hashi_nomad_cni_plugins_version: latest -hashi_nomad_cni_plugins_install_path: "/opt/cni/bin" -hashi_nomad_version: latest -hashi_nomad_deploy_method: host # deployment method, either host or docker -hashi_nomad_env_variables: {} -hashi_nomad_data_dir: /opt/nomad -hashi_nomad_extra_files: true -hashi_nomad_extra_files_src: /tmp/extra_files -hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files -#! nomad configuration -hashi_nomad_configuration: - bind_addr: "0.0.0.0" - datacenter: dc1 - log_level: INFO - leave_on_terminate: false - data_dir: "{{ hashi_nomad_data_dir }}" - advertise: - http: "{{ ansible_default_ipv4.address }}" - rpc: "{{ ansible_default_ipv4.address }}" - serf: "{{ ansible_default_ipv4.address }}" - server: - enabled: true - bootstrap_expect: 1 - server_join: - retry_join: - - "{{ ansible_default_ipv4.address }}" - client: - enabled: false - node_class: default - reserved: - cpu: 500 - memory: 300 - cni_path: "{{ hashi_nomad_cni_plugins_install_path }}" - bridge_network_name: nomad - bridge_network_subnet: "172.26.64.0/20" - ui: - enabled: true - acl: - enabled: true - token_ttl: 30s - policy_ttl: 30s - role_ttl: 30s - token_min_expiration_ttl: 30s - token_max_expiration_ttl: 24h - telemetry: - collection_interval: 1s - disable_hostname: false - use_node_name: false - publish_allocation_metrics: false - publish_node_metrics: false - prefix_filter: [] - disable_dispatched_job_summary_metrics: false - prometheus_metrics: false - # tls: - # http: false - # rpc: false - # ca_file: "{{ hashi_nomad_data_dir }}/tls/ca.pem" - # cert_file: "{{ hashi_nomad_data_dir }}/tls/cert.pem" - # key_file: "{{ hashi_nomad_data_dir }}/tls/key.pem" - # plugin: - # docker: - # config: - # endpoint: "unix:///var/run/docker.sock" - # allow_privileged: false - # allow_caps: ["all"] - # volumes: - # enabled: true - # consul: - # address: "127.0.0.1:8500" - # token: "" - # auto_advertise: true - # vault: - # address: http://vault.service.consul:8200 - # token: "" - # create_from_role: nomad-cluster - # plugin: - # docker: - # endpoint: "unix:///var/run/docker.sock" - # allow_privileged: false - # allow_caps: ["all"] - # volumes_enabled: true diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/molecule.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/molecule.yml deleted file mode 100644 index 0e6b593..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_acl_enabled_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/requirements.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/verify.yml b/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/verify.yml deleted file mode 100644 index 71ad567..0000000 --- a/roles/hashicorp_nomad/molecule/with_acl_enabled_vagrant/verify.yml +++ /dev/null @@ -1,163 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: nomad user and group" - block: - - name: "Getent user nomad" - ansible.builtin.getent: - database: passwd - key: nomad - register: nomad_user - - - name: "Getent group nomad" - ansible.builtin.getent: - database: group - key: nomad - register: nomad_group - - - name: "Verify nomad user and group" - ansible.builtin.assert: - that: - - not nomad_user.failed - - not nomad_group.failed - - "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()" - - "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']" - - "'nomad' in nomad_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/nomad.d" - block: - - name: "Stat directory /etc/nomad.d" - ansible.builtin.stat: - path: "/etc/nomad.d" - register: stat_etc_nomad_d - - - name: "Stat file /etc/nomad.d/nomad.env" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.env" - register: stat_etc_nomad_d_nomad_env - - - name: "Stat file /etc/nomad.d/nomad.json" - ansible.builtin.stat: - path: "/etc/nomad.d/nomad.json" - register: stat_etc_nomad_d_nomad_json - - - name: "Slurp file /etc/nomad.d/nomad.json" - ansible.builtin.slurp: - src: "/etc/nomad.d/nomad.json" - register: slurp_etc_nomad_d_nomad_json - - - name: "Verify directory /etc/nomad.d" - ansible.builtin.assert: - that: - - stat_etc_nomad_d.stat.exists - - stat_etc_nomad_d.stat.isdir - - stat_etc_nomad_d.stat.pw_name == 'nomad' - - stat_etc_nomad_d.stat.gr_name == 'nomad' - - stat_etc_nomad_d.stat.mode == '0755' - - stat_etc_nomad_d_nomad_env.stat.exists - - stat_etc_nomad_d_nomad_env.stat.isreg - - stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_env.stat.mode == '0600' - - stat_etc_nomad_d_nomad_json.stat.exists - - stat_etc_nomad_d_nomad_json.stat.isreg - - stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad' - - stat_etc_nomad_d_nomad_json.stat.mode == '0600' - - slurp_etc_nomad_d_nomad_json.content != '' - - - name: "Test: directory /opt/nomad" - block: - - name: "Stat directory /opt/nomad" - ansible.builtin.stat: - path: "/opt/nomad" - register: stat_opt_nomad - - - name: "Verify directory /opt/nomad" - ansible.builtin.assert: - that: - - stat_opt_nomad.stat.exists - - stat_opt_nomad.stat.isdir - - stat_opt_nomad.stat.pw_name == 'nomad' - - stat_opt_nomad.stat.gr_name == 'nomad' - - stat_opt_nomad.stat.mode == '0755' - - - name: "Test: service nomad" - block: - - name: "Get service nomad" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/nomad.service" - ansible.builtin.stat: - path: "/etc/systemd/system/nomad.service" - register: stat_etc_systemd_system_nomad_service - - - name: "Slurp file /etc/systemd/system/nomad.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/nomad.service" - register: slurp_etc_systemd_system_nomad_service - - - name: "Verify service nomad" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_nomad_service.stat.exists - - stat_etc_systemd_system_nomad_service.stat.isreg - - stat_etc_systemd_system_nomad_service.stat.pw_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.gr_name == 'root' - - stat_etc_systemd_system_nomad_service.stat.mode == '0644' - - slurp_etc_systemd_system_nomad_service.content != '' - - ansible_facts.services['nomad.service'] is defined - - ansible_facts.services['nomad.service']['source'] == 'systemd' - - ansible_facts.services['nomad.service']['state'] == 'running' - - ansible_facts.services['nomad.service']['status'] == 'enabled' - - - name: "Test: bootstrap acl nomad" - block: - - name: "Command nomad acl bootstrap" - ansible.builtin.command: "nomad acl bootstrap -json" - changed_when: false - register: nomad_acl_bootstrap - - - name: "Test: interaction nomad" - vars: - acl_token: "{{ nomad_acl_bootstrap.stdout|from_json|json_query('SecretID') }}" - block: - - name: "Command nomad var put" - ansible.builtin.command: "nomad var put secret/foobar foo=bar" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_var_put - - - name: "Command nomad var get" - ansible.builtin.command: "nomad var get secret/foobar" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_var_get - - - name: "Command nomad var purge" - ansible.builtin.command: "nomad var purge secret/foobar" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_var_purge - - - name: "Command nomad server members" - ansible.builtin.command: "nomad server members" - environment: - NOMAD_TOKEN: "{{ acl_token }}" - changed_when: false - register: nomad_server_members - - - name: "Verify nomad interaction" - ansible.builtin.assert: - that: - - "'instance.global' in nomad_server_members.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout" - - "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout" - - nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!' diff --git a/roles/hashicorp_nomad/tasks/cni_install.yml b/roles/hashicorp_nomad/tasks/cni_install.yml deleted file mode 100644 index 442bbb3..0000000 --- a/roles/hashicorp_nomad/tasks/cni_install.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# task/cni_install file for hashicorp_nomad -- name: "Get release for cni_plugins:{{ hashi_nomad_cni_plugins_version }}" - vars: - _cni_plugins_url_ext: "{% if hashi_nomad_cni_plugins_version == 'latest'%}releases{% else %}releases/tags{% endif %}" - ansible.builtin.uri: - url: "{{ hashi_nomad_cni_plugins_github_api }}/{{ _cni_plugins_url_ext }}/{{ hashi_nomad_cni_plugins_version }}" - return_content: true - register: _cni_plugins_new_release - -- name: "Check if cni plugin is already installed" - ansible.builtin.stat: - path: "{{ hashi_nomad_cni_plugins_install_path }}/version" - changed_when: false - check_mode: false - register: _cni_plugins_is_installed - -- name: "Check current cni plugin version" - ansible.builtin.command: "cat {{ hashi_nomad_cni_plugins_install_path }}/version" - changed_when: false - check_mode: false - register: _cni_plugins_old_release - when: _cni_plugins_is_installed.stat.exists - -- name: "Set facts for wanted cni plugins release" - ansible.builtin.set_fact: - hashi_nomad_cni_plugins_wanted_version: "{{ _cni_plugins_new_release.json['tag_name']|regex_replace('v', '') }}" - when: _cni_plugins_new_release.json is defined - and (_cni_plugins_new_release.json | length > 0) - -- name: "Set facts for current cni plugins release" - ansible.builtin.set_fact: - hashi_nomad_cni_plugins_current_version: "{{ _cni_plugins_old_release.stdout | regex_replace('v', '') }}" - when: _cni_plugins_old_release.stdout is defined - and (_cni_plugins_old_release.stdout | length > 0) - -- name: "Create cni directory" - ansible.builtin.file: - path: "{{ hashi_nomad_cni_plugins_install_path }}" - state: directory - mode: "0775" - -- name: "Install cni plugins" - when: hashi_nomad_cni_plugins_current_version is not defined - or hashi_nomad_cni_plugins_wanted_version not in hashi_nomad_cni_plugins_current_version - block: - - name: "Install cni plugins version:{{ hashi_nomad_cni_plugins_version }}" - ansible.builtin.get_url: - url: "{{ hashi_nomad_cni_plugins_github_url }}/releases/download/v{{ hashi_nomad_cni_plugins_wanted_version }}/cni-plugins-linux-{{ hashi_nomad_cni_plugins_arch }}-v{{ hashi_nomad_cni_plugins_wanted_version }}.tgz" - dest: "/tmp/cni_plugin.tgz" - mode: "0644" - register: _cni_plugins_download_archive - until: _cni_plugins_download_archive is succeeded - retries: 5 - delay: 2 - check_mode: false - - - name: "Unpack cni plugins" - ansible.builtin.unarchive: - src: "/tmp/cni_plugin.tgz" - dest: "{{ hashi_nomad_cni_plugins_install_path }}" - remote_src: true - - - name: "Remove temporary archive" - ansible.builtin.file: - path: "/tmp/cni_plugin.tgz" - state: absent - - - name: "Update version file" - ansible.builtin.copy: - content: "{{ hashi_nomad_cni_plugins_wanted_version }}" - dest: "{{ hashi_nomad_cni_plugins_install_path }}/version" - mode: "0600" diff --git a/roles/hashicorp_nomad/tasks/configure.yml b/roles/hashicorp_nomad/tasks/configure.yml deleted file mode 100644 index 5be74a5..0000000 --- a/roles/hashicorp_nomad/tasks/configure.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -# task/configure file for hashicorp_nomad -- name: "Ensure default nomad.hcl is removed" - ansible.builtin.file: - path: /etc/nomad.d/nomad.hcl - state: absent - -- name: "Copy nomad.json template" - ansible.builtin.template: - src: nomad.json.j2 - dest: "{{ hashi_nomad_config_dir }}/nomad.json" - owner: "{{ hashi_nomad_user }}" - group: "{{ hashi_nomad_group }}" - mode: '0600' - notify: - - "systemctl-enable-nomad" - - "systemctl-restart-nomad" - -- name: "Create nomad.env" - ansible.builtin.template: - src: nomad.env.j2 - dest: "{{ hashi_nomad_config_dir }}/nomad.env" - owner: "{{ hashi_nomad_user }}" - group: "{{ hashi_nomad_group }}" - mode: '0600' - -- name: "Copy extra configuration files" - when: hashi_nomad_extra_files - block: - - name: "Create directory {{ hashi_nomad_extra_files_dst }}" - ansible.builtin.file: - path: "{{ hashi_nomad_extra_files_dst }}" - state: directory - owner: "{{ hashi_nomad_user }}" - group: "{{ hashi_nomad_group }}" - mode: '0755' - - - name: "Copy extra configuration files" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ hashi_nomad_extra_files_dst }}/{{ (item | basename).split('.')[:-1] | join('.')}}" - owner: "{{ hashi_nomad_user }}" - group: "{{ hashi_nomad_group }}" - mode: '0600' - with_fileglob: - - "{{ hashi_nomad_extra_files_src }}/*" diff --git a/roles/hashicorp_nomad/tasks/install.yml b/roles/hashicorp_nomad/tasks/install.yml deleted file mode 100644 index 71f308b..0000000 --- a/roles/hashicorp_nomad/tasks/install.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# task/install file for hashicorp_nomad -- name: "Configure hashicorp repository" - ansible.builtin.include_role: - name: ednxzu.manage_repositories - vars: - manage_repositories_enable_default_repo: false - manage_repositories_enable_custom_repo: true - manage_repositories_custom_repo: "{{ hashi_nomad_repository }}" - -- name: "Install nomad:{{ hashi_nomad_version }}" - ansible.builtin.include_role: - name: ednxzu.manage_apt_packages - vars: - manage_apt_packages_list: "{{ hashi_nomad_packages }}" - -- name: "Copy systemd service file for nomad" - ansible.builtin.template: - src: "nomad.service.j2" - dest: "/etc/systemd/system/nomad.service" - owner: root - group: root - mode: '0644' - notify: - - "systemctl-daemon-reload" diff --git a/roles/hashicorp_nomad/tasks/main.yml b/roles/hashicorp_nomad/tasks/main.yml deleted file mode 100644 index c997106..0000000 --- a/roles/hashicorp_nomad/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# task/main file for hashicorp_nomad -- name: "Import prerequisites.yml" - ansible.builtin.include_tasks: prerequisites.yml - -- name: "Import install.yml" - ansible.builtin.include_tasks: install.yml - when: hashi_nomad_install - -- name: "Import cni_install.yml" - ansible.builtin.include_tasks: cni_install.yml - when: hashi_nomad_cni_plugins_install - -- name: "Import configure.yml" - ansible.builtin.include_tasks: configure.yml diff --git a/roles/hashicorp_nomad/tasks/prerequisites.yml b/roles/hashicorp_nomad/tasks/prerequisites.yml deleted file mode 100644 index a78d51a..0000000 --- a/roles/hashicorp_nomad/tasks/prerequisites.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# task/prerequisites file for hashicorp_nomad -- name: "Create group {{ hashi_nomad_group }}" - ansible.builtin.group: - name: "{{ hashi_nomad_user }}" - state: present - -- name: "Create user {{ hashi_nomad_user }}" - ansible.builtin.user: - name: "{{ hashi_nomad_user }}" - group: "{{ hashi_nomad_group }}" - shell: /bin/false - state: present - -- name: "Create directory {{ hashi_nomad_config_dir }}" - ansible.builtin.file: - path: "{{ hashi_nomad_config_dir }}" - state: directory - owner: "{{ hashi_nomad_user }}" - group: "{{ hashi_nomad_group }}" - mode: '0755' - -- name: "Create directory {{ hashi_nomad_data_dir }}" - ansible.builtin.file: - path: "{{ hashi_nomad_data_dir }}" - state: directory - owner: "{{ hashi_nomad_user }}" - group: "{{ hashi_nomad_group }}" - mode: '0755' diff --git a/roles/hashicorp_nomad/templates/nomad.env.j2 b/roles/hashicorp_nomad/templates/nomad.env.j2 deleted file mode 100644 index 60459d3..0000000 --- a/roles/hashicorp_nomad/templates/nomad.env.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} -{% for item in hashi_nomad_env_variables %} -{{ item|upper }}="{{ hashi_nomad_env_variables[item] }}" -{% endfor %} \ No newline at end of file diff --git a/roles/hashicorp_nomad/templates/nomad.json.j2 b/roles/hashicorp_nomad/templates/nomad.json.j2 deleted file mode 100644 index 2aae039..0000000 --- a/roles/hashicorp_nomad/templates/nomad.json.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ hashi_nomad_configuration|to_nice_json }} diff --git a/roles/hashicorp_nomad/templates/nomad.service.j2 b/roles/hashicorp_nomad/templates/nomad.service.j2 deleted file mode 100644 index 70741c3..0000000 --- a/roles/hashicorp_nomad/templates/nomad.service.j2 +++ /dev/null @@ -1,33 +0,0 @@ -[Unit] -Description=Nomad -Documentation=https://developer.hashicorp.com/nomad/docs -Wants=network-online.target -After=network-online.target -ConditionFileNotEmpty={{ hashi_nomad_config_dir }}/nomad.json -{% if hashi_nomad_configuration.consul.address is defined %} -Wants=consul.service -After=consul.service -{% endif %} - -[Service] -EnvironmentFile=-{{ hashi_nomad_config_dir }}/nomad.env -{% if not (hashi_nomad_configuration.client.enabled is defined and hashi_nomad_configuration.client.enabled) %} -User={{ hashi_nomad_user }} -Group={{ hashi_nomad_group }} -{% else %} -User=root -Group=root -{% endif %} -ExecStart=/usr/bin/nomad agent -config {{ hashi_nomad_config_dir }}/nomad.json -ExecReload=/bin/kill -HUP $MAINPID -KillMode=process -KillSignal=SIGINT -Restart=on-failure -LimitNOFILE=65536 -LimitNPROC=infinity -RestartSec=2 -TasksMax=infinity -OOMScoreAdjust=-1000 - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/hashicorp_nomad/vars/main.yml b/roles/hashicorp_nomad/vars/main.yml deleted file mode 100644 index 394bb5b..0000000 --- a/roles/hashicorp_nomad/vars/main.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# vars file for hashicorp_nomad -hashi_nomad_user: nomad -hashi_nomad_group: nomad -hashi_nomad_config_dir: "/etc/nomad.d" -hashi_nomad_cni_plugins_arch_map: - i386: '386' - x86_64: 'amd64' - aarch64: 'arm' - armv7l: 'arm' - armv6l: 'arm' -hashi_nomad_cni_plugins_arch: "{{ hashi_nomad_cni_plugins_arch_map[ansible_architecture] | default(ansible_architecture) }}" -hashi_nomad_cni_plugins_github_api: https://api.github.com/repos/containernetworking/plugins -hashi_nomad_cni_plugins_github_url: https://github.com/containernetworking/plugins -hashi_nomad_repository: - - name: hashicorp - uri: "https://apt.releases.hashicorp.com" - comments: "hashicorp repository" - types: - - deb - suites: - - "{{ ansible_distribution_release }}" - components: - - main - options: - Signed-By: "https://apt.releases.hashicorp.com/gpg" -hashi_nomad_packages: - - name: nomad - version: "{{ hashi_nomad_version }}" - state: "{% if hashi_nomad_auto_update %}latest{% else %}present{% endif %}" diff --git a/roles/hashicorp_vault/LICENSE b/roles/hashicorp_vault/LICENSE deleted file mode 100644 index c9a37e5..0000000 --- a/roles/hashicorp_vault/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2017 Bertrand Lanson - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/roles/hashicorp_vault/README.md b/roles/hashicorp_vault/README.md deleted file mode 100644 index 1fac717..0000000 --- a/roles/hashicorp_vault/README.md +++ /dev/null @@ -1,98 +0,0 @@ -hashicorp_vault -========= -> This repository is only a mirror. Development and testing is done on a private gitea server. - -This role install and configure vault on **debian-based** distributions. - -Requirements ------------- - -None. - -Role Variables --------------- -Available variables are listed below, along with default values. A sample file for the default values is available in `default/hashicorp_vault.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. - -```yaml -hashi_vault_install: true # by default, set to true -``` -This variable defines if the vault package is to be installed or not before configuring. If you install vault using another task, you can set this to `false`. - -```yaml -hashi_vault_auto_update: false # by default, set to false -``` -This variable allows you to choose to automatically update vault if a newer version is available. Updating vault is usually pretty safe if done on a regular basis, but for better control over the upgrade process, see `hashi_vault_version`. - -```yaml -hashi_vault_start_service: true -``` -This variable defines if the vault service should be started once it has been configured. This is usefull in case you're using this role to build golden images, in which case you might want to only enable the service, to have it start on the next boot (when the image is launched) - -```yaml -hashi_vault_version: latest # by default, set to latest -``` -This variable specifies the version of vault to install when `hashi_vault_install` is set to `true`. The version to specify is the version of the package on the hashicorp repository (`1.10.1-1` for example). This can be found by running `apt-cache madison vault` on a machine with the repository installed. - -```yaml -hashi_vault_deploy_method: host # by default, set to host -``` -This variable defines the method of deployment of vault. The `host` method installs the binary directly on the host, and runs vault as a systemd service. The `docker` method install vault as a docker container. -> Currently, only the `host` method is available, the `docker` method will be added later. - -```yaml -hashi_vault_env_variables: # by default, set to {} - env_var: value -``` -This value is a list of key/value that will populate the `vault.env` file. You do not have to capitalize the KEYS, as it will be done automatically. - -```yaml -hashi_vault_data_dir: "/opt/vault" # by default, set to /opt/vault -``` -This value defines the path where consul data will be stored on the node. Defaults to `/opt/consul`. - -```yaml -hashi_vault_extra_files: false # by default, set to false -``` -This variable defines whether or not there is extra configuration files to copy to the target. If there are, these extra files are expected to be jinja2 templates located all in the same directory, and will be copied to the specified directory on the target machine. - -```yaml -hashi_vault_extra_files_src: /tmp/extra_files # by default, set to /tmp/extra_files -``` -This variable defines the source directory (without the trailing /) for the extra files to be copied in case there are some. - -```yaml -hashi_vault_extra_files_dst: /etc/vault.d/extra_files # by default, set to /etc/vault.d/extra_files -``` -This variable defines the destination directory (without the trailing /) for the extra files to be copied. - -```yaml -hashi_vault_configuration: {} # by default, set to a simple configuration -``` -This variable sets all of the configuration parameters for vault. For more information on all of them, please check the [documentation](https://developer.hashicorp.com/vault/docs/configuration). This variable is parsed and converted to json format to create the config file, so each key and value should be set according to the documentation. This method of passing configuration allows for compatibility with every configuration parameters that vault has to offer. The defaults are simply here to deploy a simple, single-node vault server without much configuration, and should NOT be used in production. You will want to edit this to deploy production-ready clusters. - -Dependencies ------------- - -`ednxzu.manage_repositories` to configure the hashicorp apt repository. -`ednxzu.manage_apt_packages` to install vault. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: -```yaml -# calling the role inside a playbook with either the default or group_vars/host_vars -- hosts: servers - roles: - - ednxzu.hashicorp_vault -``` - -License -------- - -MIT / BSD - -Author Information ------------------- - -This role was created by Bertrand Lanson in 2023. diff --git a/roles/hashicorp_vault/defaults/hashicorp_vault.yml.sample b/roles/hashicorp_vault/defaults/hashicorp_vault.yml.sample deleted file mode 100644 index 46b9522..0000000 --- a/roles/hashicorp_vault/defaults/hashicorp_vault.yml.sample +++ /dev/null @@ -1,46 +0,0 @@ ---- -# hashi_vault_install: true -# hashi_vault_auto_update: false -# hashi_vault_start_service: true -# hashi_vault_version: latest -# hashi_vault_deploy_method: host # deployment method, either host or docker -# hashi_vault_env_variables: {} -# hashi_vault_data_dir: "/opt/vault" -# hashi_vault_extra_files: false -# hashi_vault_extra_files_src: /tmp/extra_files -# hashi_vault_extra_files_dst: /etc/vault.d/extra_files -# #! vault configuration -# hashi_vault_configuration: -# cluster_name: vault -# cluster_addr: "https://127.0.0.1:8201" -# api_addr: "https://127.0.0.1:8200" -# ui: true -# disable_mlock: false -# disable_cache: false -# listener: -# tcp: -# address: "127.0.0.1:8200" -# cluster_address: "127.0.0.1:8201" -# tls_disable: 0 -# tls_disable_client_certs: false -# tls_cert_file: "{{ hashi_vault_data_dir }}/tls/tls.crt" # this use the autogenerated TLS certificates -# tls_key_file: "{{ hashi_vault_data_dir }}/tls/tls.key" # this use the autogenerated TLS certificates -# storage: -# file: -# path: "{{ hashi_vault_data_dir }}/data" -# # service_registration: -# # consul: -# # address: 127.0.0.1:8500 -# # scheme: https -# # token: someUUIDforconsul -# telemetry: -# usage_gauge_period: 10m -# maximum_gauge_cardinality: 500 -# disable_hostname: false -# enable_hostname_label: false -# lease_metrics_epsilon: 1h -# num_lease_metrics_buckets: 168 -# add_lease_metrics_namespace_labels: false -# filter_default: true -# prefix_filter: [] -# prometheus_retention_time: 24h diff --git a/roles/hashicorp_vault/defaults/main.yml b/roles/hashicorp_vault/defaults/main.yml deleted file mode 100644 index 6c8e571..0000000 --- a/roles/hashicorp_vault/defaults/main.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -# defaults file for hashicorp_vault -hashi_vault_install: true -hashi_vault_auto_update: false -hashi_vault_start_service: true -hashi_vault_version: latest -hashi_vault_deploy_method: host # deployment method, either host or docker -hashi_vault_env_variables: {} -hashi_vault_data_dir: "/opt/vault" -hashi_vault_extra_files: false -hashi_vault_extra_files_src: /tmp/extra_files -hashi_vault_extra_files_dst: /etc/vault.d/extra_files -#! vault configuration -hashi_vault_configuration: - cluster_name: vault - cluster_addr: "https://127.0.0.1:8201" - api_addr: "https://127.0.0.1:8200" - ui: true - disable_mlock: false - disable_cache: false - listener: - tcp: - address: "127.0.0.1:8200" - cluster_address: "127.0.0.1:8201" - tls_disable: 0 - tls_disable_client_certs: false - tls_cert_file: "{{ hashi_vault_data_dir }}/tls/tls.crt" # this use the autogenerated TLS certificates - tls_key_file: "{{ hashi_vault_data_dir }}/tls/tls.key" # this use the autogenerated TLS certificates - storage: - file: - path: "{{ hashi_vault_data_dir }}/data" - # service_registration: - # consul: - # address: 127.0.0.1:8500 - # scheme: https - # token: someUUIDforconsul - telemetry: - usage_gauge_period: 10m - maximum_gauge_cardinality: 500 - disable_hostname: false - enable_hostname_label: false - lease_metrics_epsilon: 1h - num_lease_metrics_buckets: 168 - add_lease_metrics_namespace_labels: false - filter_default: true - prefix_filter: [] - prometheus_retention_time: 24h diff --git a/roles/hashicorp_vault/handlers/main.yml b/roles/hashicorp_vault/handlers/main.yml deleted file mode 100644 index 22ad3a1..0000000 --- a/roles/hashicorp_vault/handlers/main.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -# handlers file for hashicorp_vault -- name: "Reload systemd file" - ansible.builtin.systemd: - daemon_reload: true - listen: "systemctl-daemon-reload" - -- name: "Enable vault service" - ansible.builtin.service: - name: vault - enabled: true - listen: "systemctl-enable-vault" - -- name: "Start vault service" - ansible.builtin.service: - name: vault - state: restarted - listen: "systemctl-restart-vault" - throttle: 1 - when: hashi_vault_start_service diff --git a/roles/hashicorp_vault/meta/main.yml b/roles/hashicorp_vault/meta/main.yml deleted file mode 100644 index 3e001d3..0000000 --- a/roles/hashicorp_vault/meta/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# meta file for hashicorp_vault -galaxy_info: - namespace: 'ednxzu' - role_name: 'hashicorp_vault' - author: 'Bertrand Lanson' - description: 'Install and configure hashicorp vault for debian-based distros.' - license: 'license (BSD, MIT)' - min_ansible_version: '2.10' - platforms: - - name: Ubuntu - versions: - - focal - - jammy - - name: Debian - versions: - - bullseye - - bookworm - galaxy_tags: - - 'ubuntu' - - 'debian' - - 'hashicorp' - - 'vault' - -dependencies: [] diff --git a/roles/hashicorp_vault/molecule/default/converge.yml b/roles/hashicorp_vault/molecule/default/converge.yml deleted file mode 100644 index 96ffa3c..0000000 --- a/roles/hashicorp_vault/molecule/default/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_vault" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_vault" diff --git a/roles/hashicorp_vault/molecule/default/molecule.yml b/roles/hashicorp_vault/molecule/default/molecule.yml deleted file mode 100644 index 49efc7f..0000000 --- a/roles/hashicorp_vault/molecule/default/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_vault/molecule/default/requirements.yml b/roles/hashicorp_vault/molecule/default/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_vault/molecule/default/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_vault/molecule/default/verify.yml b/roles/hashicorp_vault/molecule/default/verify.yml deleted file mode 100644 index 5a577f5..0000000 --- a/roles/hashicorp_vault/molecule/default/verify.yml +++ /dev/null @@ -1,162 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: vault user and group" - block: - - name: "Getent user vault" - ansible.builtin.getent: - database: passwd - key: vault - register: vault_user - - - name: "Getent group vault" - ansible.builtin.getent: - database: group - key: vault - register: vault_group - - - name: "Verify vault user and group" - ansible.builtin.assert: - that: - - not vault_user.failed - - not vault_group.failed - - "'vault' in vault_user.ansible_facts.getent_passwd.keys()" - - "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']" - - "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']" - - "'vault' in vault_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/vault.d" - block: - - name: "Stat directory /etc/vault.d" - ansible.builtin.stat: - path: "/etc/vault.d" - register: stat_etc_vault_d - - - name: "Stat file /etc/vault.d/vault.env" - ansible.builtin.stat: - path: "/etc/vault.d/vault.env" - register: stat_etc_vault_d_vault_env - - - name: "Stat file /etc/vault.d/vault.json" - ansible.builtin.stat: - path: "/etc/vault.d/vault.json" - register: stat_etc_vault_d_vault_json - - - name: "Slurp file /etc/vault.d/vault.json" - ansible.builtin.slurp: - src: "/etc/vault.d/vault.json" - register: slurp_etc_vault_d_vault_json - - - name: "Verify directory /etc/vault.d" - ansible.builtin.assert: - that: - - stat_etc_vault_d.stat.exists - - stat_etc_vault_d.stat.isdir - - stat_etc_vault_d.stat.pw_name == 'vault' - - stat_etc_vault_d.stat.gr_name == 'vault' - - stat_etc_vault_d.stat.mode == '0755' - - stat_etc_vault_d_vault_env.stat.exists - - stat_etc_vault_d_vault_env.stat.isreg - - stat_etc_vault_d_vault_env.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_env.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_env.stat.mode == '0600' - - stat_etc_vault_d_vault_json.stat.exists - - stat_etc_vault_d_vault_json.stat.isreg - - stat_etc_vault_d_vault_json.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_json.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_json.stat.mode == '0600' - - slurp_etc_vault_d_vault_json.content != '' - - - name: "Test: directory /opt/vault" - block: - - name: "Stat directory /opt/vault" - ansible.builtin.stat: - path: "/opt/vault" - register: stat_opt_vault - - - name: "Verify directory /opt/vault" - ansible.builtin.assert: - that: - - stat_opt_vault.stat.exists - - stat_opt_vault.stat.isdir - - stat_opt_vault.stat.pw_name == 'vault' - - stat_opt_vault.stat.gr_name == 'vault' - - stat_opt_vault.stat.mode == '0755' - - - name: "Test: service vault" - block: - - name: "Get service vault" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/vault.service" - ansible.builtin.stat: - path: "/etc/systemd/system/vault.service" - register: stat_etc_systemd_system_vault_service - - - name: "Slurp file /etc/systemd/system/vault.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/vault.service" - register: slurp_etc_systemd_system_vault_service - - - name: "Verify service vault" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_vault_service.stat.exists - - stat_etc_systemd_system_vault_service.stat.isreg - - stat_etc_systemd_system_vault_service.stat.pw_name == 'root' - - stat_etc_systemd_system_vault_service.stat.gr_name == 'root' - - stat_etc_systemd_system_vault_service.stat.mode == '0644' - - slurp_etc_systemd_system_vault_service.content != '' - - ansible_facts.services['vault.service'] is defined - - ansible_facts.services['vault.service']['source'] == 'systemd' - - ansible_facts.services['vault.service']['state'] == 'running' - - ansible_facts.services['vault.service']['status'] == 'enabled' - - - name: "Test: bootstrap vault cluster" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -tls-skip-verify -format=json" - changed_when: false - register: vault_operator_init - - - name: "Test: unseal vault cluster" - vars: - vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[0] }}" - changed_when: false - register: vault_operator_unseal_0 - - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[1] }}" - changed_when: false - register: vault_operator_unseal_1 - - - name: "Verify vault operator unseal" - vars: - vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}" - vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}" - ansible.builtin.assert: - that: - - vault_seal_state_0 - - not vault_seal_state_1 - - - name: "Test: vault interaction" - vars: - root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}" - block: - - name: "Command vault secret enable" - ansible.builtin.command: "vault secrets enable -version=1 -tls-skip-verify kv" - environment: - VAULT_TOKEN: "{{ root_token }}" - changed_when: false - register: vault_secret_enable - - - name: "Verify vault interaction" - ansible.builtin.assert: - that: - - vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/' diff --git a/roles/hashicorp_vault/molecule/default_vagrant/converge.yml b/roles/hashicorp_vault/molecule/default_vagrant/converge.yml deleted file mode 100644 index 96ffa3c..0000000 --- a/roles/hashicorp_vault/molecule/default_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_vault" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_vault" diff --git a/roles/hashicorp_vault/molecule/default_vagrant/molecule.yml b/roles/hashicorp_vault/molecule/default_vagrant/molecule.yml deleted file mode 100644 index 2b02360..0000000 --- a/roles/hashicorp_vault/molecule/default_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_vault/molecule/default_vagrant/requirements.yml b/roles/hashicorp_vault/molecule/default_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_vault/molecule/default_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_vault/molecule/default_vagrant/verify.yml b/roles/hashicorp_vault/molecule/default_vagrant/verify.yml deleted file mode 100644 index 5a577f5..0000000 --- a/roles/hashicorp_vault/molecule/default_vagrant/verify.yml +++ /dev/null @@ -1,162 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: vault user and group" - block: - - name: "Getent user vault" - ansible.builtin.getent: - database: passwd - key: vault - register: vault_user - - - name: "Getent group vault" - ansible.builtin.getent: - database: group - key: vault - register: vault_group - - - name: "Verify vault user and group" - ansible.builtin.assert: - that: - - not vault_user.failed - - not vault_group.failed - - "'vault' in vault_user.ansible_facts.getent_passwd.keys()" - - "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']" - - "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']" - - "'vault' in vault_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/vault.d" - block: - - name: "Stat directory /etc/vault.d" - ansible.builtin.stat: - path: "/etc/vault.d" - register: stat_etc_vault_d - - - name: "Stat file /etc/vault.d/vault.env" - ansible.builtin.stat: - path: "/etc/vault.d/vault.env" - register: stat_etc_vault_d_vault_env - - - name: "Stat file /etc/vault.d/vault.json" - ansible.builtin.stat: - path: "/etc/vault.d/vault.json" - register: stat_etc_vault_d_vault_json - - - name: "Slurp file /etc/vault.d/vault.json" - ansible.builtin.slurp: - src: "/etc/vault.d/vault.json" - register: slurp_etc_vault_d_vault_json - - - name: "Verify directory /etc/vault.d" - ansible.builtin.assert: - that: - - stat_etc_vault_d.stat.exists - - stat_etc_vault_d.stat.isdir - - stat_etc_vault_d.stat.pw_name == 'vault' - - stat_etc_vault_d.stat.gr_name == 'vault' - - stat_etc_vault_d.stat.mode == '0755' - - stat_etc_vault_d_vault_env.stat.exists - - stat_etc_vault_d_vault_env.stat.isreg - - stat_etc_vault_d_vault_env.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_env.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_env.stat.mode == '0600' - - stat_etc_vault_d_vault_json.stat.exists - - stat_etc_vault_d_vault_json.stat.isreg - - stat_etc_vault_d_vault_json.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_json.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_json.stat.mode == '0600' - - slurp_etc_vault_d_vault_json.content != '' - - - name: "Test: directory /opt/vault" - block: - - name: "Stat directory /opt/vault" - ansible.builtin.stat: - path: "/opt/vault" - register: stat_opt_vault - - - name: "Verify directory /opt/vault" - ansible.builtin.assert: - that: - - stat_opt_vault.stat.exists - - stat_opt_vault.stat.isdir - - stat_opt_vault.stat.pw_name == 'vault' - - stat_opt_vault.stat.gr_name == 'vault' - - stat_opt_vault.stat.mode == '0755' - - - name: "Test: service vault" - block: - - name: "Get service vault" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/vault.service" - ansible.builtin.stat: - path: "/etc/systemd/system/vault.service" - register: stat_etc_systemd_system_vault_service - - - name: "Slurp file /etc/systemd/system/vault.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/vault.service" - register: slurp_etc_systemd_system_vault_service - - - name: "Verify service vault" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_vault_service.stat.exists - - stat_etc_systemd_system_vault_service.stat.isreg - - stat_etc_systemd_system_vault_service.stat.pw_name == 'root' - - stat_etc_systemd_system_vault_service.stat.gr_name == 'root' - - stat_etc_systemd_system_vault_service.stat.mode == '0644' - - slurp_etc_systemd_system_vault_service.content != '' - - ansible_facts.services['vault.service'] is defined - - ansible_facts.services['vault.service']['source'] == 'systemd' - - ansible_facts.services['vault.service']['state'] == 'running' - - ansible_facts.services['vault.service']['status'] == 'enabled' - - - name: "Test: bootstrap vault cluster" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -tls-skip-verify -format=json" - changed_when: false - register: vault_operator_init - - - name: "Test: unseal vault cluster" - vars: - vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[0] }}" - changed_when: false - register: vault_operator_unseal_0 - - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[1] }}" - changed_when: false - register: vault_operator_unseal_1 - - - name: "Verify vault operator unseal" - vars: - vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}" - vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}" - ansible.builtin.assert: - that: - - vault_seal_state_0 - - not vault_seal_state_1 - - - name: "Test: vault interaction" - vars: - root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}" - block: - - name: "Command vault secret enable" - ansible.builtin.command: "vault secrets enable -version=1 -tls-skip-verify kv" - environment: - VAULT_TOKEN: "{{ root_token }}" - changed_when: false - register: vault_secret_enable - - - name: "Verify vault interaction" - ansible.builtin.assert: - that: - - vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/' diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled/converge.yml b/roles/hashicorp_vault/molecule/with_raft_enabled/converge.yml deleted file mode 100644 index 96ffa3c..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_vault" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_vault" diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled/group_vars/all.yml b/roles/hashicorp_vault/molecule/with_raft_enabled/group_vars/all.yml deleted file mode 100644 index 8689496..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled/group_vars/all.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -# defaults file for hashicorp_vault -hashi_vault_install: true -hashi_vault_auto_update: true -hashi_vault_start_service: true -hashi_vault_version: latest -hashi_vault_deploy_method: host # deployment method, either host or docker -hashi_vault_env_variables: {} -hashi_vault_data_dir: "/opt/vault" -hashi_vault_extra_files: false -hashi_vault_extra_files_src: /tmp/extra_files -hashi_vault_extra_files_dst: /etc/vault.d/extra_files -#! vault configuration -hashi_vault_configuration: - cluster_name: vault - cluster_addr: "http://127.0.0.1:8201" - api_addr: "http://127.0.0.1:8200" - ui: true - disable_mlock: false - disable_cache: false - listener: - tcp: - address: "127.0.0.1:8200" - cluster_address: "127.0.0.1:8201" - tls_disable: 1 - tls_disable_client_certs: false - tls_cert_file: "{{ hashi_vault_data_dir }}/tls/tls.crt" # this use the autogenerated TLS certificates - tls_key_file: "{{ hashi_vault_data_dir }}/tls/tls.key" # this use the autogenerated TLS certificates - storage: - raft: - path: "{{ hashi_vault_data_dir }}/data" - node_id: "{{ ansible_hostname }}" - retry_join: - - leader_api_addr: "http://127.0.0.1:8200" - - leader_api_addr: "http://127.0.0.2:8200" - - leader_api_addr: "http://127.0.0.3:8200" - # service_registration: - # consul: - # address: 127.0.0.1:8500 - # scheme: https - # token: someUUIDforconsul - telemetry: - usage_gauge_period: 10m - maximum_gauge_cardinality: 500 - disable_hostname: false - enable_hostname_label: false - lease_metrics_epsilon: 1h - num_lease_metrics_buckets: 168 - add_lease_metrics_namespace_labels: false - filter_default: true - prefix_filter: [] - prometheus_retention_time: 24h diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled/molecule.yml b/roles/hashicorp_vault/molecule/with_raft_enabled/molecule.yml deleted file mode 100644 index fe9d010..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_raft_enabled - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled/requirements.yml b/roles/hashicorp_vault/molecule/with_raft_enabled/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled/verify.yml b/roles/hashicorp_vault/molecule/with_raft_enabled/verify.yml deleted file mode 100644 index d1c06e8..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled/verify.yml +++ /dev/null @@ -1,169 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: vault user and group" - block: - - name: "Getent user vault" - ansible.builtin.getent: - database: passwd - key: vault - register: vault_user - - - name: "Getent group vault" - ansible.builtin.getent: - database: group - key: vault - register: vault_group - - - name: "Verify vault user and group" - ansible.builtin.assert: - that: - - not vault_user.failed - - not vault_group.failed - - "'vault' in vault_user.ansible_facts.getent_passwd.keys()" - - "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']" - - "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']" - - "'vault' in vault_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/vault.d" - block: - - name: "Stat directory /etc/vault.d" - ansible.builtin.stat: - path: "/etc/vault.d" - register: stat_etc_vault_d - - - name: "Stat file /etc/vault.d/vault.env" - ansible.builtin.stat: - path: "/etc/vault.d/vault.env" - register: stat_etc_vault_d_vault_env - - - name: "Stat file /etc/vault.d/vault.json" - ansible.builtin.stat: - path: "/etc/vault.d/vault.json" - register: stat_etc_vault_d_vault_json - - - name: "Slurp file /etc/vault.d/vault.json" - ansible.builtin.slurp: - src: "/etc/vault.d/vault.json" - register: slurp_etc_vault_d_vault_json - - - name: "Verify directory /etc/vault.d" - ansible.builtin.assert: - that: - - stat_etc_vault_d.stat.exists - - stat_etc_vault_d.stat.isdir - - stat_etc_vault_d.stat.pw_name == 'vault' - - stat_etc_vault_d.stat.gr_name == 'vault' - - stat_etc_vault_d.stat.mode == '0755' - - stat_etc_vault_d_vault_env.stat.exists - - stat_etc_vault_d_vault_env.stat.isreg - - stat_etc_vault_d_vault_env.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_env.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_env.stat.mode == '0600' - - stat_etc_vault_d_vault_json.stat.exists - - stat_etc_vault_d_vault_json.stat.isreg - - stat_etc_vault_d_vault_json.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_json.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_json.stat.mode == '0600' - - slurp_etc_vault_d_vault_json.content != '' - - - name: "Test: directory /opt/vault" - block: - - name: "Stat directory /opt/vault" - ansible.builtin.stat: - path: "/opt/vault" - register: stat_opt_vault - - - name: "Verify directory /opt/vault" - ansible.builtin.assert: - that: - - stat_opt_vault.stat.exists - - stat_opt_vault.stat.isdir - - stat_opt_vault.stat.pw_name == 'vault' - - stat_opt_vault.stat.gr_name == 'vault' - - stat_opt_vault.stat.mode == '0755' - - - name: "Test: service vault" - block: - - name: "Get service vault" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/vault.service" - ansible.builtin.stat: - path: "/etc/systemd/system/vault.service" - register: stat_etc_systemd_system_vault_service - - - name: "Slurp file /etc/systemd/system/vault.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/vault.service" - register: slurp_etc_systemd_system_vault_service - - - name: "Verify service vault" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_vault_service.stat.exists - - stat_etc_systemd_system_vault_service.stat.isreg - - stat_etc_systemd_system_vault_service.stat.pw_name == 'root' - - stat_etc_systemd_system_vault_service.stat.gr_name == 'root' - - stat_etc_systemd_system_vault_service.stat.mode == '0644' - - slurp_etc_systemd_system_vault_service.content != '' - - ansible_facts.services['vault.service'] is defined - - ansible_facts.services['vault.service']['source'] == 'systemd' - - ansible_facts.services['vault.service']['state'] == 'running' - - ansible_facts.services['vault.service']['status'] == 'enabled' - - - name: "Test: bootstrap vault cluster" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -tls-skip-verify -format=json" - environment: - VAULT_ADDR: "http://localhost:8200" - changed_when: false - register: vault_operator_init - - - name: "Test: unseal vault cluster" - vars: - vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[0] }}" - environment: - VAULT_ADDR: "http://localhost:8200" - changed_when: false - register: vault_operator_unseal_0 - - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[1] }}" - environment: - VAULT_ADDR: "http://localhost:8200" - changed_when: false - register: vault_operator_unseal_1 - - - name: "Verify vault operator unseal" - vars: - vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}" - vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}" - ansible.builtin.assert: - that: - - vault_seal_state_0 - - not vault_seal_state_1 - - - name: "Test: vault interaction" - vars: - root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}" - block: - - name: "Command vault secret enable" - ansible.builtin.command: "vault secrets enable -version=1 -tls-skip-verify kv" - environment: - VAULT_ADDR: "http://localhost:8200" - VAULT_TOKEN: "{{ root_token }}" - changed_when: false - register: vault_secret_enable - - - name: "Verify vault interaction" - ansible.builtin.assert: - that: - - vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/' diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/converge.yml b/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/converge.yml deleted file mode 100644 index 96ffa3c..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.hashicorp_vault" - ansible.builtin.include_role: - name: "ednxzu.hashicorp_vault" diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/group_vars/all.yml b/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/group_vars/all.yml deleted file mode 100644 index 8689496..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/group_vars/all.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -# defaults file for hashicorp_vault -hashi_vault_install: true -hashi_vault_auto_update: true -hashi_vault_start_service: true -hashi_vault_version: latest -hashi_vault_deploy_method: host # deployment method, either host or docker -hashi_vault_env_variables: {} -hashi_vault_data_dir: "/opt/vault" -hashi_vault_extra_files: false -hashi_vault_extra_files_src: /tmp/extra_files -hashi_vault_extra_files_dst: /etc/vault.d/extra_files -#! vault configuration -hashi_vault_configuration: - cluster_name: vault - cluster_addr: "http://127.0.0.1:8201" - api_addr: "http://127.0.0.1:8200" - ui: true - disable_mlock: false - disable_cache: false - listener: - tcp: - address: "127.0.0.1:8200" - cluster_address: "127.0.0.1:8201" - tls_disable: 1 - tls_disable_client_certs: false - tls_cert_file: "{{ hashi_vault_data_dir }}/tls/tls.crt" # this use the autogenerated TLS certificates - tls_key_file: "{{ hashi_vault_data_dir }}/tls/tls.key" # this use the autogenerated TLS certificates - storage: - raft: - path: "{{ hashi_vault_data_dir }}/data" - node_id: "{{ ansible_hostname }}" - retry_join: - - leader_api_addr: "http://127.0.0.1:8200" - - leader_api_addr: "http://127.0.0.2:8200" - - leader_api_addr: "http://127.0.0.3:8200" - # service_registration: - # consul: - # address: 127.0.0.1:8500 - # scheme: https - # token: someUUIDforconsul - telemetry: - usage_gauge_period: 10m - maximum_gauge_cardinality: 500 - disable_hostname: false - enable_hostname_label: false - lease_metrics_epsilon: 1h - num_lease_metrics_buckets: 168 - add_lease_metrics_namespace_labels: false - filter_default: true - prefix_filter: [] - prometheus_retention_time: 24h diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/molecule.yml b/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/molecule.yml deleted file mode 100644 index bb8d9b1..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_raft_enabled_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/requirements.yml b/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/verify.yml b/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/verify.yml deleted file mode 100644 index d1c06e8..0000000 --- a/roles/hashicorp_vault/molecule/with_raft_enabled_vagrant/verify.yml +++ /dev/null @@ -1,169 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: vault user and group" - block: - - name: "Getent user vault" - ansible.builtin.getent: - database: passwd - key: vault - register: vault_user - - - name: "Getent group vault" - ansible.builtin.getent: - database: group - key: vault - register: vault_group - - - name: "Verify vault user and group" - ansible.builtin.assert: - that: - - not vault_user.failed - - not vault_group.failed - - "'vault' in vault_user.ansible_facts.getent_passwd.keys()" - - "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']" - - "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']" - - "'vault' in vault_group.ansible_facts.getent_group.keys()" - - - name: "Test: directory /etc/vault.d" - block: - - name: "Stat directory /etc/vault.d" - ansible.builtin.stat: - path: "/etc/vault.d" - register: stat_etc_vault_d - - - name: "Stat file /etc/vault.d/vault.env" - ansible.builtin.stat: - path: "/etc/vault.d/vault.env" - register: stat_etc_vault_d_vault_env - - - name: "Stat file /etc/vault.d/vault.json" - ansible.builtin.stat: - path: "/etc/vault.d/vault.json" - register: stat_etc_vault_d_vault_json - - - name: "Slurp file /etc/vault.d/vault.json" - ansible.builtin.slurp: - src: "/etc/vault.d/vault.json" - register: slurp_etc_vault_d_vault_json - - - name: "Verify directory /etc/vault.d" - ansible.builtin.assert: - that: - - stat_etc_vault_d.stat.exists - - stat_etc_vault_d.stat.isdir - - stat_etc_vault_d.stat.pw_name == 'vault' - - stat_etc_vault_d.stat.gr_name == 'vault' - - stat_etc_vault_d.stat.mode == '0755' - - stat_etc_vault_d_vault_env.stat.exists - - stat_etc_vault_d_vault_env.stat.isreg - - stat_etc_vault_d_vault_env.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_env.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_env.stat.mode == '0600' - - stat_etc_vault_d_vault_json.stat.exists - - stat_etc_vault_d_vault_json.stat.isreg - - stat_etc_vault_d_vault_json.stat.pw_name == 'vault' - - stat_etc_vault_d_vault_json.stat.gr_name == 'vault' - - stat_etc_vault_d_vault_json.stat.mode == '0600' - - slurp_etc_vault_d_vault_json.content != '' - - - name: "Test: directory /opt/vault" - block: - - name: "Stat directory /opt/vault" - ansible.builtin.stat: - path: "/opt/vault" - register: stat_opt_vault - - - name: "Verify directory /opt/vault" - ansible.builtin.assert: - that: - - stat_opt_vault.stat.exists - - stat_opt_vault.stat.isdir - - stat_opt_vault.stat.pw_name == 'vault' - - stat_opt_vault.stat.gr_name == 'vault' - - stat_opt_vault.stat.mode == '0755' - - - name: "Test: service vault" - block: - - name: "Get service vault" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/vault.service" - ansible.builtin.stat: - path: "/etc/systemd/system/vault.service" - register: stat_etc_systemd_system_vault_service - - - name: "Slurp file /etc/systemd/system/vault.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/vault.service" - register: slurp_etc_systemd_system_vault_service - - - name: "Verify service vault" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_vault_service.stat.exists - - stat_etc_systemd_system_vault_service.stat.isreg - - stat_etc_systemd_system_vault_service.stat.pw_name == 'root' - - stat_etc_systemd_system_vault_service.stat.gr_name == 'root' - - stat_etc_systemd_system_vault_service.stat.mode == '0644' - - slurp_etc_systemd_system_vault_service.content != '' - - ansible_facts.services['vault.service'] is defined - - ansible_facts.services['vault.service']['source'] == 'systemd' - - ansible_facts.services['vault.service']['state'] == 'running' - - ansible_facts.services['vault.service']['status'] == 'enabled' - - - name: "Test: bootstrap vault cluster" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -tls-skip-verify -format=json" - environment: - VAULT_ADDR: "http://localhost:8200" - changed_when: false - register: vault_operator_init - - - name: "Test: unseal vault cluster" - vars: - vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}" - block: - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[0] }}" - environment: - VAULT_ADDR: "http://localhost:8200" - changed_when: false - register: vault_operator_unseal_0 - - - name: "Command vault operator init" - ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[1] }}" - environment: - VAULT_ADDR: "http://localhost:8200" - changed_when: false - register: vault_operator_unseal_1 - - - name: "Verify vault operator unseal" - vars: - vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}" - vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}" - ansible.builtin.assert: - that: - - vault_seal_state_0 - - not vault_seal_state_1 - - - name: "Test: vault interaction" - vars: - root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}" - block: - - name: "Command vault secret enable" - ansible.builtin.command: "vault secrets enable -version=1 -tls-skip-verify kv" - environment: - VAULT_ADDR: "http://localhost:8200" - VAULT_TOKEN: "{{ root_token }}" - changed_when: false - register: vault_secret_enable - - - name: "Verify vault interaction" - ansible.builtin.assert: - that: - - vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/' diff --git a/roles/hashicorp_vault/tasks/configure.yml b/roles/hashicorp_vault/tasks/configure.yml deleted file mode 100644 index f114db1..0000000 --- a/roles/hashicorp_vault/tasks/configure.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -# task/configure file for hashicorp_vault -- name: "Ensure default vault.hcl is removed" - ansible.builtin.file: - path: /etc/vault.d/vault.hcl - state: absent - -- name: "Copy vault.json template" - ansible.builtin.template: - src: vault.json.j2 - dest: "{{ hashi_vault_config_dir }}/vault.json" - owner: "{{ hashi_vault_user }}" - group: "{{ hashi_vault_group }}" - mode: '0600' - notify: - - "systemctl-enable-vault" - - "systemctl-restart-vault" - -- name: "Create vault.env" - ansible.builtin.template: - src: vault.env.j2 - dest: "{{ hashi_vault_config_dir }}/vault.env" - owner: "{{ hashi_vault_user }}" - group: "{{ hashi_vault_group }}" - mode: '0600' - -- name: "Copy extra configuration files" - when: hashi_vault_extra_files - block: - - name: "Create directory {{ hashi_vault_extra_files_dst }}" - ansible.builtin.file: - path: "{{ hashi_vault_extra_files_dst }}" - state: directory - owner: "{{ hashi_vault_user }}" - group: "{{ hashi_vault_group }}" - mode: '0755' - - - name: "Copy extra configuration files" - ansible.builtin.template: - src: "{{ item }}" - dest: "{{ hashi_vault_extra_files_dst }}/{{ (item | basename).split('.')[:-1] | join('.')}}" - owner: "{{ hashi_vault_user }}" - group: "{{ hashi_vault_group }}" - mode: '0600' - with_fileglob: - - "{{ hashi_vault_extra_files_src }}/*" diff --git a/roles/hashicorp_vault/tasks/install.yml b/roles/hashicorp_vault/tasks/install.yml deleted file mode 100644 index cbf7f96..0000000 --- a/roles/hashicorp_vault/tasks/install.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# task/install file for hashicorp_vault -- name: "Configure hashicorp repository" - ansible.builtin.include_role: - name: ednxzu.manage_repositories - vars: - manage_repositories_enable_default_repo: false - manage_repositories_enable_custom_repo: true - manage_repositories_custom_repo: "{{ hashi_vault_repository }}" - -- name: "Install vault:{{ hashi_vault_version }}" - ansible.builtin.include_role: - name: ednxzu.manage_apt_packages - vars: - manage_apt_packages_list: "{{ hashi_vault_packages }}" - -- name: "Copy systemd service file for vault" - ansible.builtin.template: - src: "vault.service.j2" - dest: "/etc/systemd/system/vault.service" - owner: root - group: root - mode: '0644' - notify: - - "systemctl-daemon-reload" diff --git a/roles/hashicorp_vault/tasks/main.yml b/roles/hashicorp_vault/tasks/main.yml deleted file mode 100644 index f7db3e8..0000000 --- a/roles/hashicorp_vault/tasks/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# task/main file for hashicorp_vault -- name: "Import prerequisites.yml" - ansible.builtin.include_tasks: prerequisites.yml - -- name: "Import install.yml" - ansible.builtin.include_tasks: install.yml - when: hashi_vault_install - -- name: "Import configure.yml" - ansible.builtin.include_tasks: configure.yml diff --git a/roles/hashicorp_vault/tasks/prerequisites.yml b/roles/hashicorp_vault/tasks/prerequisites.yml deleted file mode 100644 index 4874dd8..0000000 --- a/roles/hashicorp_vault/tasks/prerequisites.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# task/prerequisites file for hashicorp_vault -- name: "Create group {{ hashi_vault_group }}" - ansible.builtin.group: - name: "{{ hashi_vault_user }}" - state: present - -- name: "Create user {{ hashi_vault_user }}" - ansible.builtin.user: - name: "{{ hashi_vault_user }}" - group: "{{ hashi_vault_group }}" - shell: /bin/false - state: present - -- name: "Create directory {{ hashi_vault_config_dir }}" - ansible.builtin.file: - path: "{{ hashi_vault_config_dir }}" - state: directory - owner: "{{ hashi_vault_user }}" - group: "{{ hashi_vault_group }}" - mode: '0755' - -- name: "Create directory {{ hashi_vault_data_dir }}" - ansible.builtin.file: - path: "{{ hashi_vault_data_dir }}" - state: directory - owner: "{{ hashi_vault_user }}" - group: "{{ hashi_vault_group }}" - mode: '0755' diff --git a/roles/hashicorp_vault/templates/vault.env.j2 b/roles/hashicorp_vault/templates/vault.env.j2 deleted file mode 100644 index 73c6327..0000000 --- a/roles/hashicorp_vault/templates/vault.env.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} -{% for item in hashi_vault_env_variables %} -{{ item|upper }}="{{ hashi_vault_env_variables[item] }}" -{% endfor %} \ No newline at end of file diff --git a/roles/hashicorp_vault/templates/vault.json.j2 b/roles/hashicorp_vault/templates/vault.json.j2 deleted file mode 100644 index b0964d6..0000000 --- a/roles/hashicorp_vault/templates/vault.json.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ hashi_vault_configuration|to_nice_json }} \ No newline at end of file diff --git a/roles/hashicorp_vault/templates/vault.service.j2 b/roles/hashicorp_vault/templates/vault.service.j2 deleted file mode 100644 index b2eb09d..0000000 --- a/roles/hashicorp_vault/templates/vault.service.j2 +++ /dev/null @@ -1,38 +0,0 @@ -[Unit] -Description="HashiCorp Vault - A tool for managing secrets" -Documentation=https://www.vaultproject.io/docs/ -Requires=network-online.target -After=network-online.target -ConditionFileNotEmpty={{ hashi_vault_config_dir }}/vault.json -StartLimitIntervalSec=60 -StartLimitBurst=3 -{% if hashi_vault_configuration.storage.consul is defined or hashi_vault_configuration.service_registration.consul is defined %} -Wants=consul.service -After=consul.service -{% endif %} - -[Service] -Type=notify -EnvironmentFile=-{{ hashi_vault_config_dir }}/vault.env -User={{ hashi_vault_user }} -Group={{ hashi_vault_group }} -ProtectSystem=full -ProtectHome=read-only -PrivateTmp=yes -PrivateDevices=yes -SecureBits=keep-caps -AmbientCapabilities=CAP_IPC_LOCK -CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK -NoNewPrivileges=yes -ExecStart=/usr/bin/vault server -config={{ hashi_vault_config_dir }} -ExecReload=/bin/kill --signal HUP $MAINPID -KillMode=process -KillSignal=SIGINT -Restart=on-failure -RestartSec=5 -TimeoutStopSec=30 -LimitNOFILE=65536 -LimitMEMLOCK=infinity - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/hashicorp_vault/vars/main.yml b/roles/hashicorp_vault/vars/main.yml deleted file mode 100644 index bfcf3d3..0000000 --- a/roles/hashicorp_vault/vars/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# vars file for hashicorp_vault -hashi_vault_user: vault -hashi_vault_group: vault -hashi_vault_config_dir: "/etc/vault.d" -hashi_vault_repository: - - name: hashicorp - uri: "https://apt.releases.hashicorp.com" - comments: "hashicorp repository" - types: - - deb - suites: - - "{{ ansible_distribution_release }}" - components: - - main - options: - Signed-By: "https://apt.releases.hashicorp.com/gpg" -hashi_vault_packages: - - name: vault - version: "{{ hashi_vault_version }}" - state: "{% if hashi_vault_auto_update %}latest{% else %}present{% endif %}" diff --git a/roles/import_vault_root_ca/LICENSE b/roles/import_vault_root_ca/LICENSE deleted file mode 100644 index c9a37e5..0000000 --- a/roles/import_vault_root_ca/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2017 Bertrand Lanson - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/roles/import_vault_root_ca/README.md b/roles/import_vault_root_ca/README.md deleted file mode 100644 index 1d5dd6a..0000000 --- a/roles/import_vault_root_ca/README.md +++ /dev/null @@ -1,51 +0,0 @@ -import_vault_root_ca -========= -> This repository is only a mirror. Development and testing is done on a private gitea server. - -This role imports root CA certificates from Vault to the trust store on **debian-based** distributions. - -Requirements ------------- - -None. - -Role Variables --------------- -Available variables are listed below, along with default values. A sample file for the default values is available in `default/import_vault_root_ca.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. - -```yaml -import_vault_root_ca_certificate_force_download: false # by default, set to false -``` -This variable defines whether the role should always download the provided certificate even if it already exists. This can be useful if you want to replace an existing CA, but note that **it breaks idempotence**. - -```yaml -import_vault_root_ca_certificate_list: [] # by default, set to an empty dict - - url: - cert_name: -``` -This variable defines which CA certificate to install on the machine, it is only tested with CA from Hashicorp Vault pki engine, but should work with any CA that can be downloaded from a webserver. - -Dependencies ------------- - -`ednxzu.manage_apt_packages` to install consul-template. - -Example Playbook ----------------- - -```yaml -# calling the role inside a playbook with either the default or group_vars/host_vars -- hosts: servers - roles: - - ednxzu.import_vault_root_ca -``` - -License -------- - -MIT / BSD - -Author Information ------------------- - -This role was created by Bertrand Lanson in 2023. diff --git a/roles/import_vault_root_ca/defaults/main.yml b/roles/import_vault_root_ca/defaults/main.yml deleted file mode 100644 index d36169d..0000000 --- a/roles/import_vault_root_ca/defaults/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# defaults file for import_vault_root_ca -import_vault_root_ca_certificate_force_download: false -import_vault_root_ca_certificate_list: [] diff --git a/roles/import_vault_root_ca/handlers/main.yml b/roles/import_vault_root_ca/handlers/main.yml deleted file mode 100644 index c35ea85..0000000 --- a/roles/import_vault_root_ca/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# handlers file for import_vault_root_ca -- name: "Update the trust store" - ansible.builtin.command: update-ca-certificates - changed_when: false - listen: "update-ca-certificates" diff --git a/roles/import_vault_root_ca/meta/main.yml b/roles/import_vault_root_ca/meta/main.yml deleted file mode 100644 index c5bebf8..0000000 --- a/roles/import_vault_root_ca/meta/main.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# meta file for hashicorp_nomad -galaxy_info: - namespace: 'ednxzu' - role_name: 'import_vault_root_ca' - author: 'Bertrand Lanson' - description: 'Imports root CA certificates from Vault to the trust store on debian-based distros.' - license: 'license (BSD, MIT)' - min_ansible_version: '2.10' - platforms: - - name: Ubuntu - versions: - - focal - - jammy - - name: Debian - versions: - - bullseye - - bookworm - galaxy_tags: - - 'ubuntu' - - 'debian' - - 'vault' - - 'openssl' - - 'store' - - 'certificate' - -dependencies: [] diff --git a/roles/import_vault_root_ca/molecule/default/converge.yml b/roles/import_vault_root_ca/molecule/default/converge.yml deleted file mode 100644 index 6a07ee9..0000000 --- a/roles/import_vault_root_ca/molecule/default/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.import_vault_root_ca" - ansible.builtin.include_role: - name: "ednxzu.import_vault_root_ca" diff --git a/roles/import_vault_root_ca/molecule/default/molecule.yml b/roles/import_vault_root_ca/molecule/default/molecule.yml deleted file mode 100644 index 49efc7f..0000000 --- a/roles/import_vault_root_ca/molecule/default/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/import_vault_root_ca/molecule/default/requirements.yml b/roles/import_vault_root_ca/molecule/default/requirements.yml deleted file mode 100644 index ca250b7..0000000 --- a/roles/import_vault_root_ca/molecule/default/requirements.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_apt_packages diff --git a/roles/import_vault_root_ca/molecule/default/verify.yml b/roles/import_vault_root_ca/molecule/default/verify.yml deleted file mode 100644 index 55097ef..0000000 --- a/roles/import_vault_root_ca/molecule/default/verify.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /usr/local/share/ca-certificates" - block: - - name: "Stat directory /usr/local/share/ca-certificates" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates" - register: usr_local_share_ca_certificates - - - name: "Find files in directory /usr/local/share/ca-certificates" - ansible.builtin.find: - paths: "/usr/local/share/ca-certificates" - file_type: file - register: usr_local_share_ca_certificates_ls - - - name: "Verify directory /usr/local/share/ca-certificates" - ansible.builtin.assert: - that: - - usr_local_share_ca_certificates.stat.exists - - usr_local_share_ca_certificates.stat.isdir - - usr_local_share_ca_certificates.stat.pw_name == 'root' - - usr_local_share_ca_certificates.stat.gr_name == 'root' - - usr_local_share_ca_certificates.stat.mode == '0755' - - (usr_local_share_ca_certificates_ls.files|length) == 0 diff --git a/roles/import_vault_root_ca/molecule/default_vagrant/converge.yml b/roles/import_vault_root_ca/molecule/default_vagrant/converge.yml deleted file mode 100644 index 6a07ee9..0000000 --- a/roles/import_vault_root_ca/molecule/default_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.import_vault_root_ca" - ansible.builtin.include_role: - name: "ednxzu.import_vault_root_ca" diff --git a/roles/import_vault_root_ca/molecule/default_vagrant/molecule.yml b/roles/import_vault_root_ca/molecule/default_vagrant/molecule.yml deleted file mode 100644 index 2b02360..0000000 --- a/roles/import_vault_root_ca/molecule/default_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/import_vault_root_ca/molecule/default_vagrant/requirements.yml b/roles/import_vault_root_ca/molecule/default_vagrant/requirements.yml deleted file mode 100644 index ca250b7..0000000 --- a/roles/import_vault_root_ca/molecule/default_vagrant/requirements.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_apt_packages diff --git a/roles/import_vault_root_ca/molecule/default_vagrant/verify.yml b/roles/import_vault_root_ca/molecule/default_vagrant/verify.yml deleted file mode 100644 index 55097ef..0000000 --- a/roles/import_vault_root_ca/molecule/default_vagrant/verify.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /usr/local/share/ca-certificates" - block: - - name: "Stat directory /usr/local/share/ca-certificates" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates" - register: usr_local_share_ca_certificates - - - name: "Find files in directory /usr/local/share/ca-certificates" - ansible.builtin.find: - paths: "/usr/local/share/ca-certificates" - file_type: file - register: usr_local_share_ca_certificates_ls - - - name: "Verify directory /usr/local/share/ca-certificates" - ansible.builtin.assert: - that: - - usr_local_share_ca_certificates.stat.exists - - usr_local_share_ca_certificates.stat.isdir - - usr_local_share_ca_certificates.stat.pw_name == 'root' - - usr_local_share_ca_certificates.stat.gr_name == 'root' - - usr_local_share_ca_certificates.stat.mode == '0755' - - (usr_local_share_ca_certificates_ls.files|length) == 0 diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca/converge.yml b/roles/import_vault_root_ca/molecule/with_custom_ca/converge.yml deleted file mode 100644 index 6a07ee9..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.import_vault_root_ca" - ansible.builtin.include_role: - name: "ednxzu.import_vault_root_ca" diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca/group_vars/all.yml b/roles/import_vault_root_ca/molecule/with_custom_ca/group_vars/all.yml deleted file mode 100644 index 805668d..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca/group_vars/all.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -import_vault_root_ca_certificate_force_download: false -import_vault_root_ca_certificate_list: - - url: "https://letsencrypt.org/certs/isrg-root-x2.pem" - cert_name: "isrg_root" diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca/molecule.yml b/roles/import_vault_root_ca/molecule/with_custom_ca/molecule.yml deleted file mode 100644 index 7150297..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_custom_ca - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca/requirements.yml b/roles/import_vault_root_ca/molecule/with_custom_ca/requirements.yml deleted file mode 100644 index ca250b7..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca/requirements.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_apt_packages diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca/verify.yml b/roles/import_vault_root_ca/molecule/with_custom_ca/verify.yml deleted file mode 100644 index f25fa2f..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca/verify.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /usr/local/share/ca-certificates" - block: - - name: "Stat directory /usr/local/share/ca-certificates" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates" - register: usr_local_share_ca_certificates - - - name: "Find files in directory /usr/local/share/ca-certificates" - ansible.builtin.find: - paths: "/usr/local/share/ca-certificates" - file_type: file - register: usr_local_share_ca_certificates_ls - - - name: "Verify directory /usr/local/share/ca-certificates" - ansible.builtin.assert: - that: - - usr_local_share_ca_certificates.stat.exists - - usr_local_share_ca_certificates.stat.isdir - - usr_local_share_ca_certificates.stat.pw_name == 'root' - - usr_local_share_ca_certificates.stat.gr_name == 'root' - - usr_local_share_ca_certificates.stat.mode == '0755' - - (usr_local_share_ca_certificates_ls.files|length) == 1 - - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt' - - - name: "Test: certificate isrg_root.crt" - block: - - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates/isrg_root.crt" - register: isrg_root_file - - - name: "Get certificate info" - community.crypto.x509_certificate_info: - path: "/usr/local/share/ca-certificates/isrg_root.crt" - register: isrg_root_pem - - - name: "Verify certificate is readable" - ansible.builtin.assert: - that: - - isrg_root_file.stat.exists - - isrg_root_file.stat.isreg - - isrg_root_file.stat.pw_name == 'root' - - isrg_root_file.stat.gr_name == 'root' - - isrg_root_file.stat.mode == '0644' - - not isrg_root_pem.failed - - not isrg_root_pem.expired - - isrg_root_pem.issuer == isrg_root_pem.subject diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/converge.yml b/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/converge.yml deleted file mode 100644 index 6a07ee9..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.import_vault_root_ca" - ansible.builtin.include_role: - name: "ednxzu.import_vault_root_ca" diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/group_vars/all.yml b/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/group_vars/all.yml deleted file mode 100644 index 805668d..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/group_vars/all.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -import_vault_root_ca_certificate_force_download: false -import_vault_root_ca_certificate_list: - - url: "https://letsencrypt.org/certs/isrg-root-x2.pem" - cert_name: "isrg_root" diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/molecule.yml b/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/molecule.yml deleted file mode 100644 index 263943e..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_custom_ca_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/requirements.yml b/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/requirements.yml deleted file mode 100644 index ca250b7..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/requirements.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_apt_packages diff --git a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/verify.yml b/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/verify.yml deleted file mode 100644 index f25fa2f..0000000 --- a/roles/import_vault_root_ca/molecule/with_custom_ca_vagrant/verify.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /usr/local/share/ca-certificates" - block: - - name: "Stat directory /usr/local/share/ca-certificates" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates" - register: usr_local_share_ca_certificates - - - name: "Find files in directory /usr/local/share/ca-certificates" - ansible.builtin.find: - paths: "/usr/local/share/ca-certificates" - file_type: file - register: usr_local_share_ca_certificates_ls - - - name: "Verify directory /usr/local/share/ca-certificates" - ansible.builtin.assert: - that: - - usr_local_share_ca_certificates.stat.exists - - usr_local_share_ca_certificates.stat.isdir - - usr_local_share_ca_certificates.stat.pw_name == 'root' - - usr_local_share_ca_certificates.stat.gr_name == 'root' - - usr_local_share_ca_certificates.stat.mode == '0755' - - (usr_local_share_ca_certificates_ls.files|length) == 1 - - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt' - - - name: "Test: certificate isrg_root.crt" - block: - - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt" - ansible.builtin.stat: - path: "/usr/local/share/ca-certificates/isrg_root.crt" - register: isrg_root_file - - - name: "Get certificate info" - community.crypto.x509_certificate_info: - path: "/usr/local/share/ca-certificates/isrg_root.crt" - register: isrg_root_pem - - - name: "Verify certificate is readable" - ansible.builtin.assert: - that: - - isrg_root_file.stat.exists - - isrg_root_file.stat.isreg - - isrg_root_file.stat.pw_name == 'root' - - isrg_root_file.stat.gr_name == 'root' - - isrg_root_file.stat.mode == '0644' - - not isrg_root_pem.failed - - not isrg_root_pem.expired - - isrg_root_pem.issuer == isrg_root_pem.subject diff --git a/roles/import_vault_root_ca/tasks/import.yml b/roles/import_vault_root_ca/tasks/import.yml deleted file mode 100644 index 19596dd..0000000 --- a/roles/import_vault_root_ca/tasks/import.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# task/import file for import_vault_root_ca -- name: "Download certificate file" - ansible.builtin.get_url: - url: "{{ item.url }}" - validate_certs: false - force: "{{ import_vault_root_ca_certificate_force_download }}" - dest: "/tmp/{{ item.cert_name }}.tmp" - mode: '0644' - loop: "{{ import_vault_root_ca_certificate_list }}" - register: download_results - -- name: "Check certificate format" - ansible.builtin.command: > - openssl x509 -inform PEM -noout -in {{ item.dest }} - loop: "{{ download_results.results }}" - register: cert_format_results - changed_when: false - failed_when: false - -- name: "Make sure certificate is in PEM format" - ansible.builtin.command: - cmd: openssl x509 -inform {{ 'PEM' if item.rc == 0 else 'DER' }} -in {{ item.item.dest }} -out {{ import_vault_root_ca_cert_dir }}/{{ item.item.item.cert_name }}.crt -outform pem - creates: "{{ import_vault_root_ca_cert_dir }}/{{ item.item.item.cert_name }}.crt" - loop: "{{ cert_format_results.results }}" - notify: - - update-ca-certificates diff --git a/roles/import_vault_root_ca/tasks/main.yml b/roles/import_vault_root_ca/tasks/main.yml deleted file mode 100644 index 9adbc03..0000000 --- a/roles/import_vault_root_ca/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# task/main file for import_vault_root_ca -- name: "Import prerequisites.yml" - ansible.builtin.include_tasks: prerequisites.yml - -- name: "Import import.yml" - ansible.builtin.include_tasks: import.yml diff --git a/roles/import_vault_root_ca/tasks/prerequisites.yml b/roles/import_vault_root_ca/tasks/prerequisites.yml deleted file mode 100644 index c890667..0000000 --- a/roles/import_vault_root_ca/tasks/prerequisites.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# task/prerequisites file for import_vault_root_ca -- name: "Install dependencies" - ansible.builtin.include_role: - name: ednxzu.manage_apt_packages - vars: - manage_apt_packages_list: "{{ import_vault_root_ca_packages }}" - -- name: "Create directory {{ import_vault_root_ca_cert_dir }}" - ansible.builtin.file: - path: "{{ import_vault_root_ca_cert_dir }}" - state: directory - owner: "root" - group: "root" - mode: '0755' diff --git a/roles/import_vault_root_ca/vars/main.yml b/roles/import_vault_root_ca/vars/main.yml deleted file mode 100644 index fa7eee6..0000000 --- a/roles/import_vault_root_ca/vars/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# vars file for import_vault_root_ca -import_vault_root_ca_cert_dir: /usr/local/share/ca-certificates -import_vault_root_ca_packages: - - name: openssl - version: latest - state: present - - name: ca-certificates - version: latest - state: present diff --git a/roles/renew_consul_certificates/LICENSE b/roles/renew_consul_certificates/LICENSE deleted file mode 100644 index c9a37e5..0000000 --- a/roles/renew_consul_certificates/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2017 Bertrand Lanson - -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the "Software"), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/roles/renew_consul_certificates/README.md b/roles/renew_consul_certificates/README.md deleted file mode 100644 index 5a89774..0000000 --- a/roles/renew_consul_certificates/README.md +++ /dev/null @@ -1,123 +0,0 @@ -renew_consul_certificates -========= -> This repository is only a mirror. Development and testing is done on a private gitea server. - -This role install consul-template and configure a service to automate renewal of TLS certificates for Hashicorp Consul on **debian-based** distributions. - -Requirements ------------- - -This role assume that you already have installed a consul server on the host, and is only here to assist in automating the certificate renewal process. - -Role Variables --------------- -Available variables are listed below, along with default values. A sample file for the default values is available in `default/renew_consul_certificates.yml.sample` in case you need it for any `group_vars` or `host_vars` configuration. - -```yaml -renew_consul_certificates_config_dir: /etc/consul-template.d/consul # by default, set to /etc/consul-template.d/consul -``` -This variable defines where the files for the role are stored (consul-template configuration + templates). - -```yaml -renew_consul_certificates_consul_user: consul # by default, set to consul -``` -This variable defines the user that'll be running the certificate renewal service. Defaults to `consul`, and should be present on the host prior to playing this role (ideally when installing consul). - -```yaml -renew_consul_certificates_consul_group: consul # by default, set to consul -``` -This variable defines the group that'll be running the certificate renewal service. Defaults to `consul`, and should be present on the host prior to playing this role (ideally when installing consul). - -```yaml -renew_consul_certificates_service_env_variables: - consul_http_addr: http://127.0.0.1:8500 - # consul_http_token: -``` -This variable sets the environment variables for the consul-certs services (notably the address and token to use for the `consul reload` command). - -```yaml -renew_consul_certificates_vault_addr: https://vault.example.com # by default, set to https://vault.example.com -``` -This variable defines the address the consul-template service will query to get the new certificates. Defaults to localhost, but can be changed if vault isnt reachable on localhost. - -```yaml -renew_consul_certificates_vault_token: mysupersecretvaulttokenthatyoushouldchange # by default, set to a dummy string -``` -This variable defines the vault token top use to access vault and renew the certificate. Default is a dummy string to pass unit tests. - -```yaml -renew_consul_certificates_vault_token_unwrap: false # by default, set to false -``` -Defines whether or not the token is wrapped and should be unwrapped (this is an enterprise-only feature of vault at the moment). - -```yaml -renew_consul_certificates_vault_token_renew: true # by default, set to true -``` -This variable defines whether or not to renew the vault token. It should probably be `true`, and you should have a periodic token to handle this. - -```yaml -renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem # by default, set to /opt/consul/tls/ca.pem -``` -This variable defines where to copy the certificate authority upon renewal. Default to `/opt/consul/tls/ca.pem` but should be changed depending on where you store the certificate authority. - -```yaml -renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem # by default, set to /opt/consul/tls/cert.pem -``` -This variable defines where to copy the certificates upon renewal. Default to `/opt/consul/tls/cert.pem` but should be changed depending on where you store the certificates. - -```yaml -renew_consul_certificates_key_dest: /opt/consul/tls/key.pem # by default, set to /opt/consul/tls/cert.pem -``` -This variable defines where to copy the private keys upon renewal. Default to `/opt/consul/tls/key.pem` but should be changed depending on where you store the keys. - -```yaml -renew_consul_certificates_info: # by default, set to: - issuer_path: pki/issue/your-issuer - common_name: consul01.example.com - ttl: 90d - is_server: false - include_consul_service: false -``` -This variable defines the path on vault to retrieve the certificates, as well as the common name and TTL to use for it. It can also include consul aliases in case you have registered consul services in itself (`consul.service.consul`). It also handles whether or not to append the server.yourdc.consul SAN, in case you're enforcing hostname checking. - -```yaml -renew_consul_certificates_consul_dc_name: dc1.consul # by default, set to dc1.consul -``` -In case you enforce hostname checking, set this variable to your desired dc and consul domain. This is used to forge the SAN that will be checked by consul to only allow specific nodes to be managers. - -```yaml -renew_consul_certificates_consul_service_name: consul.service.consul # by default, set to consul.service.consul -``` -This variable defines the consul service name in consul. Default is `consul.service.consul` - -```yaml -renew_consul_certificates_start_service: false -``` -This variable defines whether or not to start the service after creating it. By default, it is only enabled, but not started, in case you're building golden images (in which case you probably don't want a certificate generated during the build process). - -Dependencies ------------- - -`ednxzu.manage_repositories` to configure hashicorp apt repository. -`ednxzu.manage_apt_packages` to install consul-template. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: -```yaml -# calling the role inside a playbook with either the default or group_vars/host_vars -- hosts: servers - roles: - - ednxzu.renew_consul_certificates -``` - -License -------- - -MIT / BSD - -Author Information ------------------- - -This role was created by Bertrand Lanson in 2023. diff --git a/roles/renew_consul_certificates/defaults/main.yml b/roles/renew_consul_certificates/defaults/main.yml deleted file mode 100644 index a5a13ea..0000000 --- a/roles/renew_consul_certificates/defaults/main.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -# defaults file for renew_consul_certificates -renew_consul_certificates_config_dir: /etc/consul-template.d/consul -renew_consul_certificates_consul_user: consul -renew_consul_certificates_consul_group: consul -renew_consul_certificates_service_env_variables: - consul_http_addr: http://127.0.0.1:8500 - # consul_http_token: -renew_consul_certificates_vault_addr: "https://vault.example.com" -renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange -renew_consul_certificates_vault_token_unwrap: false -renew_consul_certificates_vault_token_renew: true -renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem -renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem -renew_consul_certificates_key_dest: /opt/consul/tls/key.pem -renew_consul_certificates_info: - issuer_path: pki/issue/your-issuer - common_name: consul01.example.com - ttl: 90d - is_server: false - include_consul_service: false -renew_consul_certificates_consul_dc_name: dc1.consul -renew_consul_certificates_consul_service_name: consul.service.consul -renew_consul_certificates_start_service: false diff --git a/roles/renew_consul_certificates/defaults/renew_consul_certificates.yml.sample b/roles/renew_consul_certificates/defaults/renew_consul_certificates.yml.sample deleted file mode 100644 index e289122..0000000 --- a/roles/renew_consul_certificates/defaults/renew_consul_certificates.yml.sample +++ /dev/null @@ -1,23 +0,0 @@ ---- -# renew_consul_certificates_config_dir: /etc/consul-template.d/consul -# renew_consul_certificates_consul_user: consul -# renew_consul_certificates_consul_group: consul -# renew_consul_certificates_service_env_variables: -# consul_http_addr: http://127.0.0.1:8500 -# # consul_http_token: -# renew_consul_certificates_vault_addr: "https://consul.example.com" -# renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange -# renew_consul_certificates_vault_token_unwrap: false -# renew_consul_certificates_vault_token_renew: true -# renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem -# renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem -# renew_consul_certificates_key_dest: /opt/consul/tls/key.pem -# renew_consul_certificates_info: -# issuer_path: pki/issue/your-issuer -# common_name: consul01.example.com -# ttl: 90d -# is_server: false -# include_consul_service: false -# renew_consul_certificates_consul_dc_name: dc1.consul -# renew_consul_certificates_consul_service_name: consul.service.consul -# renew_consul_certificates_start_service: false diff --git a/roles/renew_consul_certificates/handlers/main.yml b/roles/renew_consul_certificates/handlers/main.yml deleted file mode 100644 index 6c9f41b..0000000 --- a/roles/renew_consul_certificates/handlers/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# handlers file for renew_consul_certificates -- name: "Reload service file" - ansible.builtin.systemd: - daemon_reload: true - listen: "systemctl-daemon-reload" - -- name: "Enable consul-certs service" - ansible.builtin.service: - name: consul-certs - enabled: true - listen: "systemctl-enable-consul-certs" - -- name: "Start consul-certs service" - ansible.builtin.service: - name: consul-certs - state: restarted - listen: "systemctl-restart-consul-certs" - when: renew_consul_certificates_start_service diff --git a/roles/renew_consul_certificates/meta/main.yml b/roles/renew_consul_certificates/meta/main.yml deleted file mode 100644 index 800445b..0000000 --- a/roles/renew_consul_certificates/meta/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# meta file for renew_consul_certificates -galaxy_info: - namespace: 'ednxzu' - role_name: 'renew_consul_certificates' - author: 'Bertrand Lanson' - description: 'Install and configure consul-template to renew consul TLS certificates for debian-based distros.' - license: 'license (BSD, MIT)' - min_ansible_version: '2.10' - platforms: - - name: Ubuntu - versions: - - focal - - jammy - - name: Debian - versions: - - bullseye - - bookworm - galaxy_tags: - - 'ubuntu' - - 'debian' - - 'hashicorp' - - 'consul' - -dependencies: [] diff --git a/roles/renew_consul_certificates/molecule/default/converge.yml b/roles/renew_consul_certificates/molecule/default/converge.yml deleted file mode 100644 index c1e3e1e..0000000 --- a/roles/renew_consul_certificates/molecule/default/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.renew_consul_certificates" - ansible.builtin.include_role: - name: "ednxzu.renew_consul_certificates" diff --git a/roles/renew_consul_certificates/molecule/default/molecule.yml b/roles/renew_consul_certificates/molecule/default/molecule.yml deleted file mode 100644 index 49efc7f..0000000 --- a/roles/renew_consul_certificates/molecule/default/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/renew_consul_certificates/molecule/default/prepare.yml b/roles/renew_consul_certificates/molecule/default/prepare.yml deleted file mode 100644 index f2e71c5..0000000 --- a/roles/renew_consul_certificates/molecule/default/prepare.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Prepare - hosts: all - become: true - tasks: - - name: "Create group consul" - ansible.builtin.group: - name: "consul" - state: present - - - name: "Create user consul" - ansible.builtin.user: - name: "consul" - group: "consul" - shell: /bin/false - state: present diff --git a/roles/renew_consul_certificates/molecule/default/requirements.yml b/roles/renew_consul_certificates/molecule/default/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/renew_consul_certificates/molecule/default/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/renew_consul_certificates/molecule/default/verify.yml b/roles/renew_consul_certificates/molecule/default/verify.yml deleted file mode 100644 index 7338f39..0000000 --- a/roles/renew_consul_certificates/molecule/default/verify.yml +++ /dev/null @@ -1,140 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /etc/consul-template.d/consul" - block: - - name: "Stat directory /etc/consul-template.d/consul" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul" - register: stat_etc_consul_template_d_nomad - - - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/consul_config.hcl" - register: stat_etc_consul_template_d_nomad_nomad_config_hcl - - - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.slurp: - src: "/etc/consul-template.d/consul/consul_config.hcl" - register: slurp_etc_consul_template_d_consul_consul_config_hcl - - - name: "Verify directory /etc/consul-template.d/consul" - ansible.builtin.assert: - that: - - stat_etc_consul_template_d_nomad.stat.exists - - stat_etc_consul_template_d_nomad.stat.isdir - - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.mode == '0755' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' - - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' - - - name: "Test: directory /etc/consul-template.d/consul/templates" - block: - - name: "Stat directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/templates" - register: stat_etc_consul_template_d_consul_templates - - - name: "Find in directory /etc/consul-template.d/consul/templates" - ansible.builtin.find: - paths: "/etc/consul-template.d/consul/templates" - file_type: file - register: find_etc_consul_template_d_consul_templates - - - name: "Stat in directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: stat_etc_consul_template_d_consul_templates - - - name: "Slurp in directory /etc/consul-template.d/consul/templates" - ansible.builtin.slurp: - src: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: slurp_etc_consul_template_d_nomad_templates - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" - vars: - consul_ca_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_ca_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_ca.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" - vars: - consul_cert_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} - {{ .Data.certificate }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_cert_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_cert.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" - vars: - consul_key_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} - {{ .Data.private_key }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_key_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_key.pem.tpl' - - - name: "Test: service consul-certs" - block: - - name: "Get service consul-certs" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul-certs.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul-certs.service" - register: stat_etc_systemd_system_consul_certs_service - - - name: "Slurp file /etc/systemd/system/consul-certs.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul-certs.service" - register: slurp_etc_systemd_system_consul_certs_service - - - name: "Verify service consul-certs" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_certs_service.stat.exists - - stat_etc_systemd_system_consul_certs_service.stat.isreg - - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_certs_service.content != '' - - ansible_facts.services['consul-certs.service'] is defined - - ansible_facts.services['consul-certs.service']['source'] == 'systemd' - - ansible_facts.services['consul-certs.service']['state'] == 'stopped' - - ansible_facts.services['consul-certs.service']['status'] == 'enabled' diff --git a/roles/renew_consul_certificates/molecule/default_vagrant/converge.yml b/roles/renew_consul_certificates/molecule/default_vagrant/converge.yml deleted file mode 100644 index c1e3e1e..0000000 --- a/roles/renew_consul_certificates/molecule/default_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.renew_consul_certificates" - ansible.builtin.include_role: - name: "ednxzu.renew_consul_certificates" diff --git a/roles/renew_consul_certificates/molecule/default_vagrant/molecule.yml b/roles/renew_consul_certificates/molecule/default_vagrant/molecule.yml deleted file mode 100644 index 2b02360..0000000 --- a/roles/renew_consul_certificates/molecule/default_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: default_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/renew_consul_certificates/molecule/default_vagrant/prepare.yml b/roles/renew_consul_certificates/molecule/default_vagrant/prepare.yml deleted file mode 100644 index f2e71c5..0000000 --- a/roles/renew_consul_certificates/molecule/default_vagrant/prepare.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Prepare - hosts: all - become: true - tasks: - - name: "Create group consul" - ansible.builtin.group: - name: "consul" - state: present - - - name: "Create user consul" - ansible.builtin.user: - name: "consul" - group: "consul" - shell: /bin/false - state: present diff --git a/roles/renew_consul_certificates/molecule/default_vagrant/requirements.yml b/roles/renew_consul_certificates/molecule/default_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/renew_consul_certificates/molecule/default_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/renew_consul_certificates/molecule/default_vagrant/verify.yml b/roles/renew_consul_certificates/molecule/default_vagrant/verify.yml deleted file mode 100644 index 7338f39..0000000 --- a/roles/renew_consul_certificates/molecule/default_vagrant/verify.yml +++ /dev/null @@ -1,140 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /etc/consul-template.d/consul" - block: - - name: "Stat directory /etc/consul-template.d/consul" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul" - register: stat_etc_consul_template_d_nomad - - - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/consul_config.hcl" - register: stat_etc_consul_template_d_nomad_nomad_config_hcl - - - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.slurp: - src: "/etc/consul-template.d/consul/consul_config.hcl" - register: slurp_etc_consul_template_d_consul_consul_config_hcl - - - name: "Verify directory /etc/consul-template.d/consul" - ansible.builtin.assert: - that: - - stat_etc_consul_template_d_nomad.stat.exists - - stat_etc_consul_template_d_nomad.stat.isdir - - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.mode == '0755' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' - - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' - - - name: "Test: directory /etc/consul-template.d/consul/templates" - block: - - name: "Stat directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/templates" - register: stat_etc_consul_template_d_consul_templates - - - name: "Find in directory /etc/consul-template.d/consul/templates" - ansible.builtin.find: - paths: "/etc/consul-template.d/consul/templates" - file_type: file - register: find_etc_consul_template_d_consul_templates - - - name: "Stat in directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: stat_etc_consul_template_d_consul_templates - - - name: "Slurp in directory /etc/consul-template.d/consul/templates" - ansible.builtin.slurp: - src: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: slurp_etc_consul_template_d_nomad_templates - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" - vars: - consul_ca_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_ca_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_ca.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" - vars: - consul_cert_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} - {{ .Data.certificate }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_cert_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_cert.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" - vars: - consul_key_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost" "ip_sans=127.0.0.1" }} - {{ .Data.private_key }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_key_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_key.pem.tpl' - - - name: "Test: service consul-certs" - block: - - name: "Get service consul-certs" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul-certs.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul-certs.service" - register: stat_etc_systemd_system_consul_certs_service - - - name: "Slurp file /etc/systemd/system/consul-certs.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul-certs.service" - register: slurp_etc_systemd_system_consul_certs_service - - - name: "Verify service consul-certs" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_certs_service.stat.exists - - stat_etc_systemd_system_consul_certs_service.stat.isreg - - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_certs_service.content != '' - - ansible_facts.services['consul-certs.service'] is defined - - ansible_facts.services['consul-certs.service']['source'] == 'systemd' - - ansible_facts.services['consul-certs.service']['state'] == 'stopped' - - ansible_facts.services['consul-certs.service']['status'] == 'enabled' diff --git a/roles/renew_consul_certificates/molecule/with_custom_config/converge.yml b/roles/renew_consul_certificates/molecule/with_custom_config/converge.yml deleted file mode 100644 index c1e3e1e..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.renew_consul_certificates" - ansible.builtin.include_role: - name: "ednxzu.renew_consul_certificates" diff --git a/roles/renew_consul_certificates/molecule/with_custom_config/group_vars/all.yml b/roles/renew_consul_certificates/molecule/with_custom_config/group_vars/all.yml deleted file mode 100644 index 945a562..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config/group_vars/all.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -renew_consul_certificates_config_dir: /etc/consul-template.d/consul -renew_consul_certificates_consul_user: consul -renew_consul_certificates_consul_group: consul -renew_consul_certificates_service_env_variables: - consul_http_addr: http://127.0.0.1:8500 - # consul_http_token: -renew_consul_certificates_vault_addr: "https://consul.example.com" -renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange -renew_consul_certificates_vault_token_unwrap: false -renew_consul_certificates_vault_token_renew: true -renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem -renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem -renew_consul_certificates_key_dest: /opt/consul/tls/key.pem -renew_consul_certificates_info: - issuer_path: pki/issue/your-issuer - common_name: consul01.example.com - ttl: 90d - is_server: true - include_consul_service: true -renew_consul_certificates_consul_dc_name: dc1.consul -renew_consul_certificates_consul_service_name: consul.service.consul -renew_consul_certificates_start_service: false diff --git a/roles/renew_consul_certificates/molecule/with_custom_config/molecule.yml b/roles/renew_consul_certificates/molecule/with_custom_config/molecule.yml deleted file mode 100644 index 4df62e9..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config/molecule.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: docker -platforms: - - name: instance - image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible - command: "" - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - cgroupns_mode: host - privileged: true - pre_build_image: true -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_custom_config - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/renew_consul_certificates/molecule/with_custom_config/prepare.yml b/roles/renew_consul_certificates/molecule/with_custom_config/prepare.yml deleted file mode 100644 index f2e71c5..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config/prepare.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Prepare - hosts: all - become: true - tasks: - - name: "Create group consul" - ansible.builtin.group: - name: "consul" - state: present - - - name: "Create user consul" - ansible.builtin.user: - name: "consul" - group: "consul" - shell: /bin/false - state: present diff --git a/roles/renew_consul_certificates/molecule/with_custom_config/requirements.yml b/roles/renew_consul_certificates/molecule/with_custom_config/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/renew_consul_certificates/molecule/with_custom_config/verify.yml b/roles/renew_consul_certificates/molecule/with_custom_config/verify.yml deleted file mode 100644 index 3056cd2..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config/verify.yml +++ /dev/null @@ -1,140 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /etc/consul-template.d/consul" - block: - - name: "Stat directory /etc/consul-template.d/consul" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul" - register: stat_etc_consul_template_d_nomad - - - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/consul_config.hcl" - register: stat_etc_consul_template_d_nomad_nomad_config_hcl - - - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.slurp: - src: "/etc/consul-template.d/consul/consul_config.hcl" - register: slurp_etc_consul_template_d_consul_consul_config_hcl - - - name: "Verify directory /etc/consul-template.d/consul" - ansible.builtin.assert: - that: - - stat_etc_consul_template_d_nomad.stat.exists - - stat_etc_consul_template_d_nomad.stat.isdir - - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.mode == '0755' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' - - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' - - - name: "Test: directory /etc/consul-template.d/consul/templates" - block: - - name: "Stat directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/templates" - register: stat_etc_consul_template_d_consul_templates - - - name: "Find in directory /etc/consul-template.d/consul/templates" - ansible.builtin.find: - paths: "/etc/consul-template.d/consul/templates" - file_type: file - register: find_etc_consul_template_d_consul_templates - - - name: "Stat in directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: stat_etc_consul_template_d_consul_templates - - - name: "Slurp in directory /etc/consul-template.d/consul/templates" - ansible.builtin.slurp: - src: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: slurp_etc_consul_template_d_nomad_templates - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" - vars: - consul_ca_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_ca_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_ca.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" - vars: - consul_cert_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} - {{ .Data.certificate }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_cert_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_cert.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" - vars: - consul_key_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} - {{ .Data.private_key }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_key_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_key.pem.tpl' - - - name: "Test: service consul-certs" - block: - - name: "Get service consul-certs" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul-certs.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul-certs.service" - register: stat_etc_systemd_system_consul_certs_service - - - name: "Slurp file /etc/systemd/system/consul-certs.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul-certs.service" - register: slurp_etc_systemd_system_consul_certs_service - - - name: "Verify service consul-certs" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_certs_service.stat.exists - - stat_etc_systemd_system_consul_certs_service.stat.isreg - - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_certs_service.content != '' - - ansible_facts.services['consul-certs.service'] is defined - - ansible_facts.services['consul-certs.service']['source'] == 'systemd' - - ansible_facts.services['consul-certs.service']['state'] == 'stopped' - - ansible_facts.services['consul-certs.service']['status'] == 'enabled' diff --git a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/converge.yml b/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/converge.yml deleted file mode 100644 index c1e3e1e..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/converge.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Converge - hosts: all - become: true - tasks: - - name: "Include ednxzu.renew_consul_certificates" - ansible.builtin.include_role: - name: "ednxzu.renew_consul_certificates" diff --git a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/group_vars/all.yml b/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/group_vars/all.yml deleted file mode 100644 index 945a562..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/group_vars/all.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -renew_consul_certificates_config_dir: /etc/consul-template.d/consul -renew_consul_certificates_consul_user: consul -renew_consul_certificates_consul_group: consul -renew_consul_certificates_service_env_variables: - consul_http_addr: http://127.0.0.1:8500 - # consul_http_token: -renew_consul_certificates_vault_addr: "https://consul.example.com" -renew_consul_certificates_vault_token: mysupersecretconsultokenthatyoushouldchange -renew_consul_certificates_vault_token_unwrap: false -renew_consul_certificates_vault_token_renew: true -renew_consul_certificates_ca_dest: /opt/consul/tls/ca.pem -renew_consul_certificates_cert_dest: /opt/consul/tls/cert.pem -renew_consul_certificates_key_dest: /opt/consul/tls/key.pem -renew_consul_certificates_info: - issuer_path: pki/issue/your-issuer - common_name: consul01.example.com - ttl: 90d - is_server: true - include_consul_service: true -renew_consul_certificates_consul_dc_name: dc1.consul -renew_consul_certificates_consul_service_name: consul.service.consul -renew_consul_certificates_start_service: false diff --git a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/molecule.yml b/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/molecule.yml deleted file mode 100644 index 890cdd0..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/molecule.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -dependency: - name: galaxy - options: - requirements-file: ./requirements.yml -driver: - name: vagrant - provider: - name: libvirt -platforms: - - name: instance - box: generic/${MOLECULE_TEST_OS} - cpus: 4 - memory: 4096 -provisioner: - name: ansible - config_options: - defaults: - remote_tmp: /tmp/.ansible -verifier: - name: ansible -scenario: - name: with_custom_config_vagrant - test_sequence: - - dependency - - cleanup - - destroy - - syntax - - create - - prepare - - converge - - idempotence - - verify - - cleanup - - destroy diff --git a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/prepare.yml b/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/prepare.yml deleted file mode 100644 index f2e71c5..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/prepare.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Prepare - hosts: all - become: true - tasks: - - name: "Create group consul" - ansible.builtin.group: - name: "consul" - state: present - - - name: "Create user consul" - ansible.builtin.user: - name: "consul" - group: "consul" - shell: /bin/false - state: present diff --git a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/requirements.yml b/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/requirements.yml deleted file mode 100644 index 0a4a9fb..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/requirements.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -# requirements file for molecule -roles: - - name: ednxzu.manage_repositories - - name: ednxzu.manage_apt_packages diff --git a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/verify.yml b/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/verify.yml deleted file mode 100644 index 3056cd2..0000000 --- a/roles/renew_consul_certificates/molecule/with_custom_config_vagrant/verify.yml +++ /dev/null @@ -1,140 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - become: true - tasks: - - name: "Test: directory /etc/consul-template.d/consul" - block: - - name: "Stat directory /etc/consul-template.d/consul" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul" - register: stat_etc_consul_template_d_nomad - - - name: "Stat file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/consul_config.hcl" - register: stat_etc_consul_template_d_nomad_nomad_config_hcl - - - name: "Slurp file /etc/consul-template.d/consul/consul_config.hcl" - ansible.builtin.slurp: - src: "/etc/consul-template.d/consul/consul_config.hcl" - register: slurp_etc_consul_template_d_consul_consul_config_hcl - - - name: "Verify directory /etc/consul-template.d/consul" - ansible.builtin.assert: - that: - - stat_etc_consul_template_d_nomad.stat.exists - - stat_etc_consul_template_d_nomad.stat.isdir - - stat_etc_consul_template_d_nomad.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad.stat.mode == '0755' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.exists - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.isreg - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.pw_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.gr_name == 'consul' - - stat_etc_consul_template_d_nomad_nomad_config_hcl.stat.mode == '0600' - - slurp_etc_consul_template_d_consul_consul_config_hcl.content != '' - - - name: "Test: directory /etc/consul-template.d/consul/templates" - block: - - name: "Stat directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "/etc/consul-template.d/consul/templates" - register: stat_etc_consul_template_d_consul_templates - - - name: "Find in directory /etc/consul-template.d/consul/templates" - ansible.builtin.find: - paths: "/etc/consul-template.d/consul/templates" - file_type: file - register: find_etc_consul_template_d_consul_templates - - - name: "Stat in directory /etc/consul-template.d/consul/templates" - ansible.builtin.stat: - path: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: stat_etc_consul_template_d_consul_templates - - - name: "Slurp in directory /etc/consul-template.d/consul/templates" - ansible.builtin.slurp: - src: "{{ item.path }}" - loop: "{{ find_etc_consul_template_d_consul_templates.files }}" - register: slurp_etc_consul_template_d_nomad_templates - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_ca.pem.tpl" - vars: - consul_ca_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_ca_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_ca.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_cert.pem.tpl" - vars: - consul_cert_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} - {{ .Data.certificate }} - {{ .Data.issuing_ca }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_cert_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_cert.pem.tpl' - - - name: "Verify file /etc/consul-template.d/consul/templates/consul_key.pem.tpl" - vars: - consul_key_file: | - {% raw %}{{ with secret "pki/issue/your-issuer" "common_name=consul01.example.com" "ttl=90d" "alt_names=localhost,server.dc1.consul,consul.service.consul" "ip_sans=127.0.0.1" }} - {{ .Data.private_key }} - {{ end }}{% endraw %} - ansible.builtin.assert: - that: - - item.item.isreg - - item.item.pw_name == 'consul' - - item.item.gr_name == 'consul' - - item.item.mode == '0600' - - "(item.content|b64decode) == consul_key_file" - loop: "{{ slurp_etc_consul_template_d_nomad_templates.results }}" - when: (item.item.path | basename) == 'consul_key.pem.tpl' - - - name: "Test: service consul-certs" - block: - - name: "Get service consul-certs" - ansible.builtin.service_facts: - - - name: "Stat file /etc/systemd/system/consul-certs.service" - ansible.builtin.stat: - path: "/etc/systemd/system/consul-certs.service" - register: stat_etc_systemd_system_consul_certs_service - - - name: "Slurp file /etc/systemd/system/consul-certs.service" - ansible.builtin.slurp: - src: "/etc/systemd/system/consul-certs.service" - register: slurp_etc_systemd_system_consul_certs_service - - - name: "Verify service consul-certs" - ansible.builtin.assert: - that: - - stat_etc_systemd_system_consul_certs_service.stat.exists - - stat_etc_systemd_system_consul_certs_service.stat.isreg - - stat_etc_systemd_system_consul_certs_service.stat.pw_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.gr_name == 'root' - - stat_etc_systemd_system_consul_certs_service.stat.mode == '0644' - - slurp_etc_systemd_system_consul_certs_service.content != '' - - ansible_facts.services['consul-certs.service'] is defined - - ansible_facts.services['consul-certs.service']['source'] == 'systemd' - - ansible_facts.services['consul-certs.service']['state'] == 'stopped' - - ansible_facts.services['consul-certs.service']['status'] == 'enabled' diff --git a/roles/renew_consul_certificates/tasks/configure.yml b/roles/renew_consul_certificates/tasks/configure.yml deleted file mode 100644 index 7ef5491..0000000 --- a/roles/renew_consul_certificates/tasks/configure.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# task/configure file for renew_consul_certificates -- name: "Configure files for consul certificate renewal" - notify: - - "systemctl-enable-consul-certs" - - "systemctl-restart-consul-certs" - block: - - name: "Copy consul_config.hcl template" - ansible.builtin.template: - src: consul_config.hcl.j2 - dest: "{{ renew_consul_certificates_config_dir }}/consul_config.hcl" - owner: "{{ renew_consul_certificates_consul_user }}" - group: "{{ renew_consul_certificates_consul_group }}" - mode: '0600' - - - name: "Copy consul_ca.pem.tpl template" - ansible.builtin.template: - src: consul_ca.pem.tpl.j2 - dest: "{{ renew_consul_certificates_config_dir }}/templates/consul_ca.pem.tpl" - owner: "{{ renew_consul_certificates_consul_user }}" - group: "{{ renew_consul_certificates_consul_group }}" - mode: '0600' - - - name: "Copy consul_cert.pem.tpl template" - ansible.builtin.template: - src: consul_cert.pem.tpl.j2 - dest: "{{ renew_consul_certificates_config_dir }}/templates/consul_cert.pem.tpl" - owner: "{{ renew_consul_certificates_consul_user }}" - group: "{{ renew_consul_certificates_consul_group }}" - mode: '0600' - - - name: "Copy consul_cert.key.tpl template" - ansible.builtin.template: - src: consul_key.pem.tpl.j2 - dest: "{{ renew_consul_certificates_config_dir }}/templates/consul_key.pem.tpl" - owner: "{{ renew_consul_certificates_consul_user }}" - group: "{{ renew_consul_certificates_consul_group }}" - mode: '0600' - -- name: "Configure consul-certs systemd service" - notify: - - "systemctl-daemon-reload" - block: - - name: "Configure consul-certs env file" - ansible.builtin.template: - src: consul-certs.env.j2 - dest: "{{ renew_consul_certificates_config_dir }}/consul-certs.env" - owner: root - group: root - mode: '0644' - - - name: "Configure consul-certs systemd service" - ansible.builtin.template: - src: consul-certs.service.j2 - dest: /etc/systemd/system/consul-certs.service - owner: root - group: root - mode: '0644' diff --git a/roles/renew_consul_certificates/tasks/install.yml b/roles/renew_consul_certificates/tasks/install.yml deleted file mode 100644 index b559f50..0000000 --- a/roles/renew_consul_certificates/tasks/install.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# task/install file for renew_consul_certificates -- name: "Configure hashicorp repository" - ansible.builtin.include_role: - name: ednxzu.manage_repositories - vars: - manage_repositories_enable_default_repo: false - manage_repositories_enable_custom_repo: true - manage_repositories_custom_repo: "{{ renew_consul_certificates_repository }}" - -- name: "Install consul-template" - ansible.builtin.include_role: - name: ednxzu.manage_apt_packages - vars: - manage_apt_packages_list: "{{ renew_consul_certificates_packages }}" diff --git a/roles/renew_consul_certificates/tasks/main.yml b/roles/renew_consul_certificates/tasks/main.yml deleted file mode 100644 index 088dca8..0000000 --- a/roles/renew_consul_certificates/tasks/main.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# task/main file for renew_consul_certificates -- name: "Import prerequisites.yml" - ansible.builtin.include_tasks: prerequisites.yml - -- name: "Import install.yml" - ansible.builtin.include_tasks: install.yml - -- name: "Import configure.yml" - ansible.builtin.include_tasks: configure.yml diff --git a/roles/renew_consul_certificates/tasks/prerequisites.yml b/roles/renew_consul_certificates/tasks/prerequisites.yml deleted file mode 100644 index 32d7c20..0000000 --- a/roles/renew_consul_certificates/tasks/prerequisites.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# task/prerequisites file for renew_consul_certificates -- name: "Create directory {{ renew_consul_certificates_config_dir }}" - ansible.builtin.file: - path: "{{ renew_consul_certificates_config_dir }}" - state: directory - owner: "{{ renew_consul_certificates_consul_user }}" - group: "{{ renew_consul_certificates_consul_group }}" - mode: '0755' - -- name: "Create directory templates directory in {{ renew_consul_certificates_config_dir }}" - ansible.builtin.file: - path: "{{ renew_consul_certificates_config_dir }}/templates" - state: directory - owner: "{{ renew_consul_certificates_consul_user }}" - group: "{{ renew_consul_certificates_consul_group }}" - mode: '0755' - -- name: "Ensure certificate/key directory(ies) exist(s)" - ansible.builtin.file: - path: "{{item | dirname }}" - state: directory - owner: "{{ renew_consul_certificates_consul_user }}" - group: "{{ renew_consul_certificates_consul_group }}" - mode: '0755' - loop: - - "{{ renew_consul_certificates_cert_dest }}" - - "{{ renew_consul_certificates_key_dest }}" - - "{{ renew_consul_certificates_ca_dest }}" diff --git a/roles/renew_consul_certificates/templates/consul-certs.env.j2 b/roles/renew_consul_certificates/templates/consul-certs.env.j2 deleted file mode 100644 index 0303f37..0000000 --- a/roles/renew_consul_certificates/templates/consul-certs.env.j2 +++ /dev/null @@ -1,4 +0,0 @@ -# {{ ansible_managed }} -{% for item in renew_consul_certificates_service_env_variables %} -{{ item|upper }}="{{ renew_consul_certificates_service_env_variables[item] }}" -{% endfor %} \ No newline at end of file diff --git a/roles/renew_consul_certificates/templates/consul-certs.service.j2 b/roles/renew_consul_certificates/templates/consul-certs.service.j2 deleted file mode 100644 index 987b365..0000000 --- a/roles/renew_consul_certificates/templates/consul-certs.service.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Automatic renewal of consul certificate using consul-template -Requires=network-online.target -After=network-online.target consul.service -ConditionFileNotEmpty={{ renew_consul_certificates_config_dir }}/consul_config.hcl - -[Service] -EnvironmentFile=-{{ renew_consul_certificates_config_dir }}/consul-certs.env -User={{ renew_consul_certificates_consul_user }} -Group={{ renew_consul_certificates_consul_group }} -ExecStart=/usr/bin/consul-template $OPTIONS -config={{ renew_consul_certificates_config_dir }}/consul_config.hcl -ExecReload=/bin/kill --signal HUP $MAINPID -KillSignal=SIGINT -Restart=on-failure - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/renew_consul_certificates/templates/consul_ca.pem.tpl.j2 b/roles/renew_consul_certificates/templates/consul_ca.pem.tpl.j2 deleted file mode 100644 index 65e4826..0000000 --- a/roles/renew_consul_certificates/templates/consul_ca.pem.tpl.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} - -{% raw %}{{ .Data.issuing_ca }}{% endraw %} - -{% raw %}{{ end }}{% endraw %} diff --git a/roles/renew_consul_certificates/templates/consul_cert.pem.tpl.j2 b/roles/renew_consul_certificates/templates/consul_cert.pem.tpl.j2 deleted file mode 100644 index b45ded2..0000000 --- a/roles/renew_consul_certificates/templates/consul_cert.pem.tpl.j2 +++ /dev/null @@ -1,7 +0,0 @@ -{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} - -{% raw %}{{ .Data.certificate }}{% endraw %} - -{% raw %}{{ .Data.issuing_ca }}{% endraw %} - -{% raw %}{{ end }}{% endraw %} diff --git a/roles/renew_consul_certificates/templates/consul_config.hcl.j2 b/roles/renew_consul_certificates/templates/consul_config.hcl.j2 deleted file mode 100644 index cf34570..0000000 --- a/roles/renew_consul_certificates/templates/consul_config.hcl.j2 +++ /dev/null @@ -1,33 +0,0 @@ -vault { - address = "{{ renew_consul_certificates_vault_addr }}" - token = "{{ renew_consul_certificates_vault_token }}" - unwrap_token = {{ renew_consul_certificates_vault_token_unwrap|lower }} - renew_token = {{ renew_consul_certificates_vault_token_renew|lower }} -} - -template { - source = "{{ renew_consul_certificates_config_dir }}/templates/consul_ca.pem.tpl" - destination = "{{ renew_consul_certificates_ca_dest }}" - perms = 0700 - user = "{{ renew_consul_certificates_consul_user }}" - group = "{{ renew_consul_certificates_consul_group }}" - command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && consul reload '" -} - -template { - source = "{{ renew_consul_certificates_config_dir }}/templates/consul_cert.pem.tpl" - destination = "{{ renew_consul_certificates_cert_dest }}" - perms = 0700 - user = "{{ renew_consul_certificates_consul_user }}" - group = "{{ renew_consul_certificates_consul_group }}" - command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && consul reload '" -} - -template { - source = "{{ renew_consul_certificates_config_dir }}/templates/consul_key.pem.tpl" - destination = "{{ renew_consul_certificates_key_dest }}" - perms = 0700 - user = "{{ renew_consul_certificates_consul_user }}" - group = "{{ renew_consul_certificates_consul_group }}" - command = "sh -c 'echo \"$(date) Update certificate and key file for {{ renew_consul_certificates_info['common_name'] }}\" && consul reload '" -} diff --git a/roles/renew_consul_certificates/templates/consul_key.pem.tpl.j2 b/roles/renew_consul_certificates/templates/consul_key.pem.tpl.j2 deleted file mode 100644 index 234de6c..0000000 --- a/roles/renew_consul_certificates/templates/consul_key.pem.tpl.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{% raw %}{{ with secret {% endraw %}"{{ renew_consul_certificates_info['issuer_path'] }}" "common_name={{ renew_consul_certificates_info['common_name'] }}" "ttl={{ renew_consul_certificates_info['ttl'] }}" "alt_names=localhost{% if renew_consul_certificates_info['is_server'] %},server.{{ renew_consul_certificates_consul_dc_name }}{% endif %}{% if renew_consul_certificates_info['include_consul_service']%},{{ renew_consul_certificates_consul_service_name }}{% endif %}" "ip_sans=127.0.0.1"{% raw %} }}{% endraw %} - -{% raw %}{{ .Data.private_key }}{% endraw %} - -{% raw %}{{ end }}{% endraw %} diff --git a/roles/renew_consul_certificates/vars/main.yml b/roles/renew_consul_certificates/vars/main.yml deleted file mode 100644 index 9ec775b..0000000 --- a/roles/renew_consul_certificates/vars/main.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# vars file for renew_consul_certificates -renew_consul_certificates_repository: - - name: hashicorp - uri: "https://apt.releases.hashicorp.com" - comments: "hashicorp repository" - types: - - deb - suites: - - "{{ ansible_distribution_release }}" - components: - - main - options: - Signed-By: "https://apt.releases.hashicorp.com/gpg" -renew_consul_certificates_packages: - - name: consul-template - version: latest - state: present