playbooks/bootstrap.yml

@@ -1,11 +1,11 @@
 ---
 # hashistack prepare playbook
 - name: "Bootstrap"
-  hosts: all, !deployment
+  hosts: common
   gather_facts: true
   become: true
   tasks:
-    - name: "Isntall unzip with package manager"
+    - name: "Install unzip with package manager"
       ansible.builtin.include_role:
         name: ednz_cloud.manage_apt_packages
       vars:

playbooks/certificates.yml

@@ -1,7 +1,7 @@
 ---
 # hashistack generate certificates playbook
 - name: "Generate certificates"
-  hosts: all, !deployment
+  hosts: common
   strategy: linear
   gather_facts: true
   become: true

playbooks/credentials.yml

@@ -1,7 +1,7 @@
 ---
 # hashistack generate certificates playbook
 - name: "Generate credentials"
-  hosts: deployment
+  hosts: localhost
   strategy: linear
   gather_facts: true
   become: true

playbooks/deploy.yml

@@ -1,7 +1,7 @@
 ---
 # hashistack deployment playbook
 - name: "Deploy"
-  hosts: "{{ target | default('all, !deployment') }}"
+  hosts: common
   strategy: linear
   gather_facts: true
   any_errors_fatal: true

playbooks/group_vars/all/cni.yml

@@ -1,4 +1,10 @@
 ---
-cni_plugins_version: "v1.5.1"
-cni_plugins_install_path: /opt/cni/bin
-cni_plugins_install_consul_cni: true
+###############
+# cni plugins #
+###############
+
+# hashistack_cni_plugins_version:
+# hashistack_cni_plugins_install_path:
+# hashistack_cni_plugins_install_consul_cni:
+# hashistack_cni_user:
+# hashistack_cni_group:

playbooks/group_vars/all/cni_default.yml

@@ -0,0 +1,19 @@
+---
+###############
+# cni plugins #
+###############
+
+hashistack_default_cni_plugins_version: "v1.5.1"
+cni_plugins_version: "{{ hashistack_cni_plugins_version | default(hashistack_default_cni_plugins_version) }}"
+
+hashistack_default_cni_plugins_install_path: /opt/cni/bin
+cni_plugins_install_path: "{{ hashistack_cni_plugins_install_path | default(hashistack_default_cni_plugins_install_path) }}"
+
+hashistack_default_cni_plugins_install_consul_cni: true
+cni_plugins_install_consul_cni: "{{ hashistack_cni_plugins_install_consul_cni | default(hashistack_default_cni_plugins_install_consul_cni) }}"
+
+hashistack_default_cni_user: nomad
+cni_user: "{{ hashistack_cni_user | default(hashistack_default_cni_user) }}"
+
+hashistack_default_cni_group: nomad
+cni_group: "{{ hashistack_cni_group | default(hashistack_default_cni_group) }}"

playbooks/group_vars/all/hashistack_ca.yml

@@ -1,10 +1,10 @@
 ---
 # defaults
-hashistack_ca_directory: "/etc/hashistack/certificates"
+hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"
 hashistack_ca_use_cryptography: false
 hashistack_ca_action: "noop"
 hashistack_ca_domain: example.com
-hashistack_ca_directory_owner: root
+hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
 
 ##############################
 # Root Certificate Authority #
@@ -79,41 +79,26 @@ hashistack_ca_leaf_renew_threshold: 30d
 ############################
 hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
-hashistack_ca_consul_csr_sans: >-
-  {%- set sans_list = [
-      'DNS:' + inventory_hostname,
-      'DNS:consul.service.consul',
-      'DNS:localhost',
-      'IP:' + api_interface_address,
-      'IP:127.0.0.1'
-  ] -%}
-  {%- if consul_enable_server -%}
-    {%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
-  {%- endif -%}
-  {{ sans_list }}
+hashistack_ca_consul_csr_sans:
+  - "DNS:{{ inventory_hostname }}"
+  - "DNS:consul.service.consul"
+  - "DNS:localhost"
+  - "IP:{{ api_interface_address }}"
+  - "IP:127.0.0.1"
+  - "{{ 'DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain if consul_enable_server else omit }}"
 
 ###########################
 # Nomad Leaf Certificates #
 ###########################
 hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
-hashistack_ca_nomad_csr_sans: >-
-  {%- set sans_list = [
-      'DNS:' + inventory_hostname,
-      'DNS:localhost',
-      'IP:' + api_interface_address,
-      'IP:127.0.0.1'
-  ] -%}
-  {%- if nomad_enable_server -%}
-    {%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
-    {%- if  (enable_consul | bool) -%}
-      {%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
-    {%- endif -%}
-  {%- endif -%}
-  {%- if nomad_enable_client -%}
-    {%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
-  {%- endif -%}
-  {{ sans_list }}
+hashistack_ca_nomad_csr_sans:
+  - "DNS:{{ inventory_hostname }}"
+  - "DNS:localhost"
+  - "IP:{{ api_interface_address }}"
+  - "IP:127.0.0.1"
+  - "{{ 'DNS:server.' ~ nomad_region ~ '.nomad' if nomad_enable_server else omit }}"
+  - "{{ 'DNS:nomad.service.consul' if (nomad_enable_server and enable_consul) else omit }}"
 
 ###########################
 # Vault Leaf Certificates #
@@ -122,9 +107,9 @@ hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
 hashistack_ca_vault_csr_sans:
   - "DNS:{{ inventory_hostname }}"
-  - "DNS:active.vault.service.consul"
-  - "DNS:standby.vault.service.consul"
-  - "DNS:vault.service.consul"
+  - "{{ 'DNS:active.vault.service.consul' if enable_consul else omit }}"
+  - "{{ 'DNS:standby.vault.service.consul' if enable_consul else omit }}"
+  - "{{ 'DNS:vault.service.consul' if enable_consul else omit }}"
   - "DNS:localhost"
   - "IP:{{ api_interface_address }}"
   - "IP:127.0.0.1"

playbooks/preflight.yml

@@ -1,7 +1,7 @@
 ---
 # hashistack deployment playbook
 - name: "Preflight"
-  hosts: all, !deployment
+  hosts: common
   strategy: linear
   gather_facts: true
   become: true

playbooks/tasks/haproxy/files/keepalived/keepalived.conf.j2

@@ -1,50 +0,0 @@
-# {{ ansible_managed }}
-global_defs {
-  script_user keepalived_script
-  enable_script_security
-}
-
-vrrp_script chk_haproxy{
-  script "/etc/keepalived/scripts.d/chk_haproxy.sh"
-  interval 3
-  weight 0
-  rise 6
-  fall 1
-}
-
-vrrp_instance {{ deploy_keepalived_vrrp_instance_name }} {
-  interface {{ deploy_keepalived_interface }}
-
-  state {{ deploy_keepalived_state }}
-  virtual_router_id {{ deploy_keepalived_router_id }}
-  priority {{ deploy_keepalived_priority }}
-  advert_int {{ deploy_keepalived_advert_interval }}
-
-  nopreempt
-
-{% if deploy_keepalived_unicast_peers %}
-  unicast_src_ip {{ deploy_keepalived_unicast_source }}
-  unicast_peer {
-{% for peer in deploy_keepalived_unicast_peers %}
-    {{ peer }}
-{% endfor %}
-  }
-{% endif %}
-
-  authentication {
-    auth_type PASS
-    auth_pass {{ deploy_keepalived_auth_passwd }}
-  }
-
-  virtual_ipaddress {
-{% for vip in deploy_keepalived_virtual_ips %}
-    {{ vip }}
-{% endfor %}
-  }
-
-  track_script {
-    chk_haproxy
-  }
-
-  notify {{ deploy_keepalived_scripts_dir }}/{{ deploy_keepalived_notify_script }}
-}

playbooks/tasks/haproxy/files/keepalived/scripts.d/chk_haproxy.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-set -e
-
-function do_ping() {
-  wget -q -O /dev/null --server-response "http://127.0.0.1:9000/health" 2>&1 | awk '/^  HTTP/{print $2}'
-}
-
-ping_result=$(do_ping)
-echo "Ping result: $ping_result"
-
-if [ "$ping_result" = "200" ]; then
-  exit 0
-else
-  exit 1
-fi

playbooks/tasks/haproxy/haproxy_deploy.yml

@@ -1,25 +0,0 @@
----
-- name: "HAProxy"
-  block:
-    - name: "Include ednz_cloud.deploy_haproxy"
-      ansible.builtin.include_role:
-        name: ednz_cloud.deploy_haproxy
-
-    - name: "Include ednz_cloud.deploy_keepalived"
-      ansible.builtin.include_role:
-        name: ednz_cloud.deploy_keepalived
-
-    - name: "Register haproxy services in consul"
-      when: enable_consul | bool
-      block:
-        - name: "Register haproxy services in consul"
-          community.general.consul:
-            token: "{{ _credentials.consul.root_token.secret_id }}"
-            host: "127.0.0.1"
-            scheme: "{{ consul_api_scheme }}"
-            port: "{{ consul_api_port[consul_api_scheme] }}"
-            validate_certs: false
-            service_name: haproxy
-            service_port: 80
-            interval: 20s
-            http: http://localhost:9000/health

roles/hashistack/.docsible

@@ -1,13 +0,0 @@
-aap_hub: null
-automation_kind: null
-category: null
-critical: null
-description: null
-dt_dev: null
-dt_prod: null
-dt_update: 26/08/2024
-requester: null
-subCategory: null
-time_saving: null
-users: null
-version: null

roles/hashistack/README.md

@@ -1,123 +0,0 @@
-<!-- DOCSIBLE START -->
-
-# 📃 Role overview
-
-## hashistack
-
-
-
-Description: Merge variables for the playbooks contained in ednz_cloud.hashistack collection
-
-
-| Field                | Value           |
-|--------------------- |-----------------|
-| Readme update        | 26/08/2024 |
-
-
-
-
-
-
-### Defaults
-
-**These are static variables with lower priority**
-
-#### File: defaults/main.yml
-
-| Var          | Type         | Value       |Required    | Title       |
-|--------------|--------------|-------------|-------------|-------------|
-| [hashistack_configuration_directory](defaults/main.yml#L3)   | str   | `{{ lookup('env', 'PWD') }}/etc/hashistack`  |  n/a  |  n/a |
-| [hashistack_sub_configuration_directories](defaults/main.yml#L4)   | dict   | `{'secrets': '{{ hashistack_configuration_directory }}/secrets', 'certificates': '{{ hashistack_configuration_directory }}/certificates', 'nomad_servers': '{{ hashistack_configuration_directory }}/nomad_servers', 'vault_servers': '{{ hashistack_configuration_directory }}/vault_servers', 'consul_servers': '{{ hashistack_configuration_directory }}/consul_servers'}`  |  n/a  |  n/a |
-| [hashistack_configuration_global_vars_file](defaults/main.yml#L11)   | str   | `globals.yml`  |  n/a  |  n/a |
-| [hashistack_configuration_credentials_vars_file](defaults/main.yml#L12)   | str   | `credentials.yml`  |  n/a  |  n/a |
-| [hashistack_remote_config_dir](defaults/main.yml#L14)   | str   | `/etc/hashistack`  |  n/a  |  n/a |
-| [hashistack_remote_log_dir](defaults/main.yml#L15)   | str   | `/var/log/hashistack`  |  n/a  |  n/a |
-| [hashistack_only_load_credentials](defaults/main.yml#L17)   | bool   | `False`  |  n/a  |  n/a |
-
-
-
-
-
-### Tasks
-
-
-#### File: tasks/load_group_vars.yml
-
-| Name | Module | Has Conditions |
-| ---- | ------ | --------- |
-| Variables \| Stat group specific config file | ansible.builtin.stat | False |
-| Variables \| Load group specific variables | ansible.builtin.include_vars | True |
-
-#### File: tasks/load_credentials_vars.yml
-
-| Name | Module | Has Conditions |
-| ---- | ------ | --------- |
-| Variables \| Stat credentials file | ansible.builtin.stat | False |
-| Variables \| Stat vault credentials file | ansible.builtin.stat | False |
-| Variables \| Make sure credentials file exists | ansible.builtin.assert | False |
-| Variables \| Load credentials variables | ansible.builtin.include_vars | False |
-| Variables \| Load vault credentials if vault.yml exists | ansible.builtin.include_vars | True |
-| Variables \| Merge vault credentials into _credentials | vars | True |
-
-#### File: tasks/load_host_vars.yml
-
-| Name | Module | Has Conditions |
-| ---- | ------ | --------- |
-| Variables \| Stat host specific config file | ansible.builtin.stat | False |
-| Variables \| Load host specific variables | ansible.builtin.include_vars | True |
-
-#### File: tasks/main.yml
-
-| Name | Module | Has Conditions |
-| ---- | ------ | --------- |
-| Variables \| Load global variables | ansible.builtin.include_tasks | True |
-| Variables \| Load credentials variables | ansible.builtin.include_tasks | False |
-| Variables \| Load group specific variables | ansible.builtin.include_tasks | True |
-| Variables \| Load host specific variables | ansible.builtin.include_tasks | True |
-| Ensure remote directories exists | ansible.builtin.file | True |
-| Variables \| Load custom CA certificates | ansible.builtin.include_tasks | True |
-
-#### File: tasks/load_ca_certificates.yml
-
-| Name | Module | Has Conditions |
-| ---- | ------ | --------- |
-| Check if CA directory exists | ansible.builtin.stat | False |
-| Find custom ca certificates to copy | ansible.builtin.find | True |
-| Ensure remote ca directory exists | ansible.builtin.file | False |
-| Copy custom ca certificates | ansible.builtin.copy | True |
-| Copy and update trust store | block | True |
-| Copy ca certificates to /usr/local/share/ca-certificates | ansible.builtin.file | False |
-| Update the trust store | ansible.builtin.command | True |
-
-#### File: tasks/load_global_vars.yml
-
-| Name | Module | Has Conditions |
-| ---- | ------ | --------- |
-| Variables \| Include all default variables | ansible.builtin.include_vars | False |
-| Variables \| Stat global configuration file | ansible.builtin.stat | False |
-| Variables \| Make sure global configuration file exists | ansible.builtin.assert | False |
-| Variables \| Load global variables | ansible.builtin.include_vars | False |
-
-
-
-
-
-
-
-## Author Information
-Bertrand Lanson
-
-#### License
-
-license (BSD, MIT)
-
-#### Minimum Ansible Version
-
-2.10
-
-#### Platforms
-
-- **Ubuntu**: ['focal', 'jammy', 'noble']
-- **Debian**: ['bullseye', 'bookworm']
-
-<!-- DOCSIBLE END -->

roles/hashistack_ca/.docsible

@@ -1,13 +0,0 @@
-aap_hub: null
-automation_kind: null
-category: null
-critical: null
-description: null
-dt_dev: null
-dt_prod: null
-dt_update: 26/08/2024
-requester: null
-subCategory: null
-time_saving: null
-users: null
-version: null

roles/vault/tasks/merge_variables.yml

@@ -33,6 +33,7 @@
           | unique
           | sort
           }}"
+      when: vault_enable_tls
 
 - name: "Vault | Merge service registration configuration"
   vars: