Erweiterung 2 Lighthouses möglich

tasks/lighthouse_primary.yml

@@ -0,0 +1,61 @@
+---
+# Runs only on groups['nebula_lighthouse'][0]
+# This host owns the CA key and signs all certs.
+
+- name: Ensure CA cert/key exists
+  command:
+    chdir: /opt/nebula
+    cmd: >-
+      ./nebula-cert ca
+      -name "{{ nebula_network_name }}"
+      -duration "{{ nebula_ca_cert_duration }}"
+    creates: /opt/nebula/ca.crt
+
+- name: Ensure primary lighthouse cert/key exists
+  command:
+    chdir: /opt/nebula
+    cmd: >-
+      ./nebula-cert sign
+      -name "{{ _nebula_primary_lighthouse.hostname }}"
+      -ip "{{ _nebula_primary_lighthouse.internal_ip }}/{{ nebula_network_cidr }}"
+      -duration "{{ nebula_client_cert_duration }}"
+    creates: "/opt/nebula/{{ _nebula_primary_lighthouse.hostname }}.crt"
+
+- name: Ensure cert/key exists for each secondary lighthouse
+  command:
+    chdir: /opt/nebula
+    cmd: >-
+      ./nebula-cert sign
+      -name "{{ item.hostname }}"
+      -ip "{{ item.internal_ip }}/{{ nebula_network_cidr }}"
+      -duration "{{ nebula_client_cert_duration }}"
+    creates: "/opt/nebula/{{ item.hostname }}.crt"
+  loop: "{{ _nebula_lighthouses_computed[1:] }}"
+  when: _nebula_lighthouses_computed | length > 1
+
+- name: Ensure primary lighthouse is configured
+  template:
+    src: lighthouse_config.yml.j2
+    dest: /opt/nebula/config.yml
+    owner: root
+    group: root
+    mode: '0400'
+  notify: restart nebula
+  vars:
+    _lh: "{{ _nebula_primary_lighthouse }}"
+
+- name: Ensure primary lighthouse service exists
+  template:
+    src: lighthouse.service.j2
+    dest: /etc/systemd/system/lighthouse.service
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Ensure primary lighthouse service is enabled and running
+  systemd:
+    name: lighthouse
+    daemon_reload: yes
+    enabled: yes
+    masked: no
+    state: started

tasks/lighthouse_secondary.yml

@@ -0,0 +1,61 @@
+---
+# Runs on all nebula_lighthouse hosts except the primary ([0]).
+# Fetches cert + key from the primary lighthouse and deploys config.
+
+- name: Determine this lighthouse's config entry
+  set_fact:
+    _this_lh: >-
+      {{
+        _nebula_lighthouses_computed
+        | selectattr('hostname', 'equalto', inventory_hostname)
+        | list
+        | first
+      }}
+
+- name: Read cert/key/ca from primary lighthouse for this secondary
+  slurp:
+    src: "/opt/nebula/{{ item }}"
+  register: _lh_secondary_files
+  delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
+  loop:
+    - "{{ _this_lh.hostname }}.crt"
+    - "{{ _this_lh.hostname }}.key"
+    - ca.crt
+
+- name: Ensure cert, key, CA files are present on this secondary lighthouse
+  copy:
+    dest: "/opt/nebula/{{ item['item'] }}"
+    content: "{{ item['content'] | b64decode }}"
+    owner: root
+    group: root
+    mode: '0600'
+  loop: "{{ _lh_secondary_files.results }}"
+  loop_control:
+    label: "{{ item['item'] }}"
+
+- name: Ensure secondary lighthouse is configured
+  template:
+    src: lighthouse_config.yml.j2
+    dest: /opt/nebula/config.yml
+    owner: root
+    group: root
+    mode: '0400'
+  notify: restart nebula
+  vars:
+    _lh: "{{ _this_lh }}"
+
+- name: Ensure secondary lighthouse service exists
+  template:
+    src: lighthouse.service.j2
+    dest: /etc/systemd/system/lighthouse.service
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Ensure secondary lighthouse service is enabled and running
+  systemd:
+    name: lighthouse
+    daemon_reload: yes
+    enabled: yes
+    masked: no
+    state: started

tasks/main.yml

@@ -3,19 +3,24 @@
   block:
     - name: Uninstall Nebula (clean install)
       include_tasks: uninstall.yml
-      when: nebula_clean_install|bool
+      when: nebula_clean_install | bool
 
     - name: Preflight checks
       include_tasks: preflight.yml
 
-    - name: Install Nebula on all hosts 
+    - name: Install Nebula on all hosts
       include_tasks: nebula.yml
-    
-    - name: Deploy Lighthouse
-      include_tasks: lighthouse.yml
-      when: inventory_hostname in groups['nebula_lighthouse']
-    
+
+    - name: Deploy Primary Lighthouse (CA + cert signing)
+      include_tasks: lighthouse_primary.yml
+      when: inventory_hostname == groups['nebula_lighthouse'][0]
+
+    - name: Deploy Secondary Lighthouses
+      include_tasks: lighthouse_secondary.yml
+      when:
+        - inventory_hostname in groups['nebula_lighthouse']
+        - inventory_hostname != groups['nebula_lighthouse'][0]
+
     - name: Deploy Nebula Node
       include_tasks: node.yml
-      when: inventory_hostname not in groups['nebula_lighthouse']
-  when: inventory_hostname in groups['nebula_lighthouse'] or nebula_internal_ip_addr is defined
+      when: inventory_hostname not in groups['nebula_lighthouse'] and nebula_internal_ip_addr is defined

tasks/node.yml

@@ -1,12 +1,13 @@
-- name: Check if node certificate exists on lighthouse
+---
+- name: Check if node certificate exists on primary lighthouse
   stat:
     path: /opt/nebula/{{ inventory_hostname }}.crt
-  delegate_to: "{{ groups.nebula_lighthouse[0] }}"
+  delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
   register: cert_stat
 
 - name: Get information about existing certificate (if it exists)
   command: "/opt/nebula/nebula-cert print -json -path /opt/nebula/{{ inventory_hostname }}.crt"
-  delegate_to: "{{ groups.nebula_lighthouse[0] }}"
+  delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
   changed_when: false
   when: cert_stat.stat.exists
   register: current_cert_json
@@ -24,62 +25,79 @@
     msg: "IP Address in Cert: {{ current_cert_ip }}, Expected IP Address: {{ nebula_internal_ip_addr }}/{{ nebula_network_cidr }}"
   when: cert_stat.stat.exists
 
-- name: Delete invalid node certificate and key from lighthouse (wrong IP address)
+- name: Delete invalid node certificate and key from primary lighthouse (wrong IP address)
   file:
     path: "/opt/nebula/{{ item }}"
     state: absent
-  delegate_to: "{{ groups.nebula_lighthouse[0] }}"
+  delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
   with_items:
     - "{{ inventory_hostname }}.crt"
     - "{{ inventory_hostname }}.key"
   when:
     - cert_stat.stat.exists
-    - current_cert_ip != nebula_internal_ip_addr|string + '/' + nebula_network_cidr|string
+    - current_cert_ip != nebula_internal_ip_addr | string + '/' + nebula_network_cidr | string
 
-- name: Ensure a cert/key exists for each node on lighthouse
+- name: Ensure a cert/key exists for this node on primary lighthouse
   command:
     chdir: /opt/nebula
-    cmd: ./nebula-cert sign -name "{{ inventory_hostname }}" -ip "{{ nebula_internal_ip_addr }}/{{ nebula_network_cidr }}" -duration "{{ nebula_client_cert_duration }}"
-  delegate_to: "{{ groups.nebula_lighthouse[0] }}"
-  when: not cert_stat.stat.exists or current_cert_ip != nebula_internal_ip_addr|string + '/' + nebula_network_cidr|string
+    cmd: >-
+      ./nebula-cert sign
+      -name "{{ inventory_hostname }}"
+      -ip "{{ nebula_internal_ip_addr }}/{{ nebula_network_cidr }}"
+      -duration "{{ nebula_client_cert_duration }}"
+  delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
+  when: >-
+    not cert_stat.stat.exists
+    or current_cert_ip != nebula_internal_ip_addr | string + '/' + nebula_network_cidr | string
 
-- name: Ensure lighthouse has hosts file entry for node
+- name: Ensure primary lighthouse has hosts file entry for node
   lineinfile:
     path: /etc/hosts
     line: "{{ nebula_internal_ip_addr }} {{ inventory_hostname }}.neb"
-  delegate_to: "{{ groups.nebula_lighthouse[0] }}"
+  delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
   when: nebula_lighthouse_build_hosts_file
 
-- name: Ensure node has hosts file entry for lighthouse
+- name: Ensure all lighthouses have hosts file entry for node
   lineinfile:
     path: /etc/hosts
-    line: "{{ nebula_lighthouse_internal_ip_addr }} {{ nebula_lighthouse_hostname }}.neb"
+    line: "{{ nebula_internal_ip_addr }} {{ inventory_hostname }}.neb"
+  delegate_to: "{{ item }}"
+  loop: "{{ groups['nebula_lighthouse'][1:] }}"
+  when:
+    - nebula_lighthouse_build_hosts_file
+    - groups['nebula_lighthouse'] | length > 1
+
+- name: Ensure node has hosts file entries for all lighthouses
+  lineinfile:
+    path: /etc/hosts
+    line: "{{ item.internal_ip }} {{ item.hostname }}.neb"
+  loop: "{{ _nebula_lighthouses_computed }}"
   when: nebula_node_lighthouse_in_hosts_file
 
-- name: Read cert/key from lighthouse
+- name: Read cert/key/ca from primary lighthouse
   slurp:
     src: "/opt/nebula/{{ item }}"
   register: lighthouse_files
-  delegate_to: "{{ groups.nebula_lighthouse[0] }}"
-  with_items: 
+  delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
+  with_items:
     - "{{ inventory_hostname }}.crt"
     - "{{ inventory_hostname }}.key"
     - ca.crt
 
-- name: Ensure Cert, Key, CA files exist
+- name: Ensure cert, key, CA files exist on node
   copy:
     dest: "/opt/nebula/{{ item['item'] }}"
     content: "{{ item['content'] | b64decode }}"
     owner: root
     group: root
-    mode: 0600
+    mode: '0600'
   loop: "{{ lighthouse_files.results }}"
   loop_control:
     label: "{{ item['item'] }}"
 
 - name: Ensure Nebula is configured
   template:
-    src: node_config.yml.j2 
+    src: node_config.yml.j2
     dest: /opt/nebula/config.yml
     owner: root
     group: root
@@ -95,7 +113,7 @@
     mode: '0644'
 
 - name: Ensure Nebula service is enabled and running
-  systemd: 
+  systemd:
     name: nebula
     daemon_reload: yes
     enabled: yes
@@ -109,12 +127,11 @@
     owner: root
     group: root
     mode: '0755'
-  when: nebula_install_check_cron|bool
+  when: nebula_install_check_cron | bool
 
 - name: Ensure nebula-check is scheduled via cron
   cron:
     name: "nebula-check"
     minute: "{{ nebula_check_cron_minute | default('*/5') }}"
     job: "/opt/nebula/nebula-check.sh"
-  when: nebula_install_check_cron|bool
-
+  when: nebula_install_check_cron | bool