From 9c85cc970832a671943c6ef7f45c992739fd89e1 Mon Sep 17 00:00:00 2001 From: vincent Date: Sun, 24 Dec 2023 15:52:06 +0100 Subject: [PATCH] feat: improce variable management --- ansible/group_vars/NAS/ftp | 3 +++ ansible/group_vars/NAS/{main => nfs} | 3 --- ansible/group_vars/NAS/nomad | 1 + ansible/group_vars/{homelab => cluster}/mount | 0 ansible/group_vars/cluster/nomad | 1 + ansible/group_vars/production | 3 +++ ansible/group_vars/staging | 4 ++++ ansible/playbooks/HashicorpStack.yml | 12 ++++++++++-- ansible/production | 12 +++++++++--- ansible/staging | 12 +++++++++--- nomad-job/borgmatic.nomad | 10 ++++++---- 11 files changed, 46 insertions(+), 15 deletions(-) create mode 100644 ansible/group_vars/NAS/ftp rename ansible/group_vars/NAS/{main => nfs} (89%) create mode 100644 ansible/group_vars/NAS/nomad rename ansible/group_vars/{homelab => cluster}/mount (100%) create mode 100644 ansible/group_vars/cluster/nomad diff --git a/ansible/group_vars/NAS/ftp b/ansible/group_vars/NAS/ftp new file mode 100644 index 0000000..a14b808 --- /dev/null +++ b/ansible/group_vars/NAS/ftp @@ -0,0 +1,3 @@ +vsftpd_config: + local_root: "/var/local/volume1" + seccomp_sandbox: False diff --git a/ansible/group_vars/NAS/main b/ansible/group_vars/NAS/nfs similarity index 89% rename from ansible/group_vars/NAS/main rename to ansible/group_vars/NAS/nfs index 847627e..742d77a 100644 --- a/ansible/group_vars/NAS/main +++ b/ansible/group_vars/NAS/nfs @@ -13,6 +13,3 @@ nfs_exports: - "/var/local/volume1/CardDav {{nfs_cluster_list}}" -vsftpd_config: - local_root: "/var/local/volume1" - seccomp_sandbox: False diff --git a/ansible/group_vars/NAS/nomad b/ansible/group_vars/NAS/nomad new file mode 100644 index 0000000..4cc8ce7 --- /dev/null +++ b/ansible/group_vars/NAS/nomad @@ -0,0 +1 @@ +nomad_node_class: 'NAS' diff --git a/ansible/group_vars/homelab/mount b/ansible/group_vars/cluster/mount similarity index 100% rename from ansible/group_vars/homelab/mount rename to ansible/group_vars/cluster/mount diff --git a/ansible/group_vars/cluster/nomad b/ansible/group_vars/cluster/nomad new file mode 100644 index 0000000..a64ecf1 --- /dev/null +++ b/ansible/group_vars/cluster/nomad @@ -0,0 +1 @@ +nomad_node_class: 'cluster' diff --git a/ansible/group_vars/production b/ansible/group_vars/production index 541e8df..a63d4ee 100644 --- a/ansible/group_vars/production +++ b/ansible/group_vars/production @@ -3,6 +3,9 @@ domain: consul_bootstrap_expect: 3 consul_domain: "consul" nomad_bootstrap_expect: 3 +nomad_client_meta: + - name: "env" + value: "production" vault_unseal_keys_dir_output: "~/vaultUnseal/production" env_default_nfs_path: "/volume2" env_media_nfs_path: "/volume1" diff --git a/ansible/group_vars/staging b/ansible/group_vars/staging index 8b169c5..f3fa539 100644 --- a/ansible/group_vars/staging +++ b/ansible/group_vars/staging @@ -5,6 +5,10 @@ domain: consul_bootstrap_expect: 2 consul_domain: "consul" nomad_bootstrap_expect: 2 +nomad_client_meta: + - name: "env" + value: "staging" + vault_unseal_keys_dir_output: "~/vaultUnseal/staging" hosts_entries: - ip: "{{ hostvars['nas-dev']['ansible_default_ipv4']['address'] }}" diff --git a/ansible/playbooks/HashicorpStack.yml b/ansible/playbooks/HashicorpStack.yml index e8fec82..3bfe5ac 100644 --- a/ansible/playbooks/HashicorpStack.yml +++ b/ansible/playbooks/HashicorpStack.yml @@ -5,18 +5,26 @@ - role: ansible-hashicorp-vault become: true post_tasks: + - name: Reading root contents + ansible.builtin.command: cat "{{ vault_unseal_keys_dir_output }}/rootkey" + register: root_token + delegate_to: localhost + changed_when: false + - name: debug + ansible.builtin.debug: + var: root_token - name: Generate nomad token community.hashi_vault.vault_token_create: renewable: true policies: "nomad-server-policy" period: 72h no_parent: true - token: "{{ vault_init_parsed.root_token }}" + token: "{{ root_token.stdout }}" url: http://{{ ansible_default_ipv4.address }}:8200 retries: 4 run_once: true delegate_to: localhost - when: vault_init_parsed.root_token is defined + when: root_token.stdout is defined register: nomad_token_data - name: Gather nomad token diff --git a/ansible/production b/ansible/production index c1d5f0d..4fe3d02 100644 --- a/ansible/production +++ b/ansible/production @@ -21,12 +21,18 @@ bleys [wireguard:children] production +[NAS] +nas - -[homelab] +[cluster] oscar -bleys gerard +bleys + + +[homelab:children] +NAS +cluster [VPS] corwin diff --git a/ansible/staging b/ansible/staging index fcfb9e2..69429f1 100644 --- a/ansible/staging +++ b/ansible/staging @@ -13,10 +13,17 @@ database_standby [wireguard:children] staging -[homelab] +[NAS] +nas-dev + +[cluster] oscar-dev gerard-dev +[homelab:children] +NAS +cluster + [VPS] merlin-dev @@ -25,8 +32,7 @@ homelab VPS staging -[NAS] -nas-dev + [staging] oscar-dev diff --git a/nomad-job/borgmatic.nomad b/nomad-job/borgmatic.nomad index 454d3a9..40c5027 100644 --- a/nomad-job/borgmatic.nomad +++ b/nomad-job/borgmatic.nomad @@ -7,9 +7,9 @@ job "borgmatic" { forcedeploy = "0" } constraint { - attribute = "${node.unique.name}" + attribute = "${node.class}" operator = "set_contains" - value = "nas" + value = "NAS" } group "borgmatic"{ @@ -25,7 +25,7 @@ job "borgmatic" { "/var/local/volume1:/var/local/volume1", "local/borgmatic.d:/etc/borgmatic.d", "secret/id_rsa:/root/.ssh/id_rsa", - "/mnt/diskstation/nomad/borgmatic:/root/.cache/borg", + "/mnt/diskstation/nomad/borgmatic:/root/.cache/borg", ] } @@ -65,7 +65,8 @@ location: - /volume1/photo repositories: - - u304977@u304977.your-storagebox.de:backup_syno + - u304977@u304977.your-storagebox.de:{{if eq "production" (env "meta.env") }}backup_hamelab{{else}}backup_homelab_dev{{end}} + exclude_patterns: - '*/nomad/jellyfin/cache' - '*/loki/chunks' @@ -207,6 +208,7 @@ consistency: {{end}} EOH destination = "secret/id_rsa" + perms= "700" } resources { memory = 300