This repository has been archived by the owner on May 12, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
hashistack.yaml
283 lines (237 loc) · 8.05 KB
/
hashistack.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
---
- name: Hashistack
hosts: all
tasks:
- set_fact:
other_hosts_ips: "{{ groups['lux'] | map('extract', hostvars, ['ansible_tailscale0', 'ipv4', 'address']) | difference(hostvars[inventory_hostname]['ansible_tailscale0']['ipv4']['address']) | map('regex_replace', '^', '\"') | map('regex_replace', '$', '\"') | join(', ') }}"
# TODO: every time marked as 'changed', needs fix
- name: Add CNI Plugin
become: true
shell: "curl -L -o cni-plugins.tgz 'https://github.com/containernetworking/plugins/releases/download/v1.0.0/cni-plugins-linux-amd64-v1.0.0.tgz' && mkdir -p /opt/cni/bin && tar -C /opt/cni/bin -xzf cni-plugins.tgz && rm -rf cni-plugins.tgz"
- name: Add GPG Key
become: true
apt_key:
url: https://apt.releases.hashicorp.com/gpg
state: present
- name: Add Repository
become: true
apt_repository:
repo: deb https://apt.releases.hashicorp.com jammy main
state: present
- name: Install
become: true
apt:
name:
- consul
- nomad
state: latest
update_cache: true
- name: Autocomplete
command: "nomad -autocomplete-install"
ignore_errors: yes
- name: Copy Keys
become: true
ansible.builtin.copy:
src: ./consul-keys/consul-agent-ca.pem
dest: /etc/consul.d/consul-agent-ca.pem
- name: Copy Keys
become: true
ansible.builtin.copy:
src: ./consul-keys/lux-server-consul-0-key.pem
dest: /etc/consul.d/lux-server-consul-0-key.pem
- name: Copy Keys
become: true
ansible.builtin.copy:
src: ./consul-keys/lux-server-consul-0.pem
dest: /etc/consul.d/lux-server-consul-0.pem
- name: Consul config
become: true
notify: restart_consul_service
copy:
dest: /etc/consul.d/consul.hcl
content: |
datacenter = "lux"
data_dir = "/opt/consul"
encrypt = "{{ lookup('env', 'CONSUL_ENCRYPT') }}"
tls {
defaults {
ca_file = "/etc/consul.d/consul-agent-ca.pem"
cert_file = "/etc/consul.d/lux-server-consul-0.pem"
key_file = "/etc/consul.d/lux-server-consul-0-key.pem"
verify_incoming = true
verify_outgoing = true
}
internal_rpc {
verify_server_hostname = true
}
}
auto_encrypt {
allow_tls = true
}
retry_join = [{{ other_hosts_ips }}]
acl {
enabled = false
}
performance {
raft_multiplier = 3
}
- name: Consul server config
notify: restart_consul_service
become: true
copy:
dest: /etc/consul.d/server.hcl
content: |
server = true
bootstrap_expect = 3
bind_addr = "{{ hostvars[inventory_hostname]['ansible_tailscale0']['ipv4']['address'] }}"
client_addr = "{{ hostvars[inventory_hostname]['ansible_tailscale0']['ipv4']['address'] }}"
connect {
enabled = true
}
ui_config {
enabled = true
}
ports {
grpc = 8502
dns = 53
}
- name: Consul systemd
become: true
notify: restart_consul_service
copy:
dest: /etc/systemd/system/consul.service
content: |
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/consul.d/consul.hcl
[Service]
EnvironmentFile=-/etc/consul.d/consul.env
User=root
Group=root
ExecStart=/usr/bin/consul agent -config-dir=/etc/consul.d/
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
- name: Make sure a service unit is running
become: true
ansible.builtin.systemd:
enabled: yes
state: started
name: consul
- name: Nomad config
become: true
notify: restart_nomad_service
copy:
dest: /etc/nomad.d/nomad.hcl
content: |
data_dir = "/opt/nomad/data"
bind_addr = "{{ hostvars[inventory_hostname]['ansible_tailscale0']['ipv4']['address'] }}"
datacenter = "lux"
server {
enabled = true
bootstrap_expect = 3
}
telemetry {
collection_interval = "1s"
disable_hostname = true
prometheus_metrics = true
publish_allocation_metrics = true
publish_node_metrics = true
}
client {
enabled = true
host_network "public" {
interface = "{{ ansible_default_ipv4.interface }}"
}
host_network "private" {
interface = "tailscale0"
}
}
consul {
address = "{{ hostvars[inventory_hostname]['ansible_tailscale0']['ipv4']['address'] }}:8500"
}
- name: Nomad systemd
become: true
notify: restart_nomad_service
copy:
dest: /etc/systemd/system/nomad.service
content: |
[Unit]
Description=Nomad
Documentation=https://www.nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
# When using Nomad with Consul it is not necessary to start Consul first. These
# lines start Consul before Nomad as an optimization to avoid Nomad logging
# that Consul is unavailable at startup.
Wants=consul.service
After=consul.service
[Service]
# Nomad server should be run as the nomad user. Nomad clients
# should be run as root
User=root
Group=root
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=65536
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
## Configure unit start rate limiting. Units which are started more than
## *burst* times within an *interval* time span are not permitted to start any
## more. Use `StartLimitIntervalSec` or `StartLimitInterval` (depending on
## systemd version) to configure the checking interval and `StartLimitBurst`
## to configure how many starts per interval are allowed. The values in the
## commented lines are defaults.
## StartLimitIntervalSec is used for systemd versions >= 230
# StartLimitIntervalSec = 10s
## StartLimitInterval is used for systemd versions < 230
# StartLimitInterval = 10s
TasksMax=infinity
OOMScoreAdjust=-1000
[Install]
WantedBy=multi-user.target
- name: Make sure a service unit is running
become: true
ansible.builtin.systemd:
enabled: yes
state: started
name: nomad
- name: Create target directory
become: true
file: path=/etc/systemd/resolved.conf.d state=directory mode=0755
- name: DNS config
notify: restart_systemd_resolved_service
become: true
copy:
dest: /etc/systemd/resolved.conf.d/consul.conf
content: |
[Resolve]
DNS={{ hostvars[inventory_hostname]['ansible_tailscale0']['ipv4']['address'] }}
DNSSEC=false
Domains=~consul
handlers:
- name: restart_systemd_resolved_service
become: true
service:
name: systemd-resolved
state: restarted
- name: restart_nomad_service
become: true
service:
name: nomad
state: restarted
- name: restart_consul_service
become: true
service:
name: consul
state: restarted