make it a role
This commit is contained in:
root
@@ -0,0 +1,37 @@
|
||||
---
|
||||
- name: Ensure CA cert/key exists
|
||||
command:
|
||||
chdir: /opt/nebula
|
||||
cmd: ./nebula-cert ca -name "{{ nebula_network_name }}" -duration "{{ nebula_ca_cert_duration }}"
|
||||
creates: /opt/nebula/ca.crt
|
||||
|
||||
- name: Ensure lighthouse cert/key exists
|
||||
command:
|
||||
chdir: /opt/nebula
|
||||
cmd: ./nebula-cert sign -name "{{ nebula_lighthouse_hostname }}" -ip "{{ nebula_lighthouse_internal_ip_addr }}/{{ nebula_network_cidr }}" -duration "{{ nebula_client_cert_duration }}"
|
||||
creates: "/opt/nebula/{{ nebula_lighthouse_hostname }}.crt"
|
||||
|
||||
- name: Ensure lighthouse is configured
|
||||
template:
|
||||
src: lighthouse_config.yml.j2
|
||||
dest: /opt/nebula/config.yml
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0400'
|
||||
notify: Restart Lighthouse
|
||||
|
||||
- name: Ensure lighthouse service exists
|
||||
template:
|
||||
src: lighthouse.service.j2
|
||||
dest: /etc/systemd/system/lighthouse.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
- name: Ensure lighthouse service is enabled and running
|
||||
systemd:
|
||||
name: lighthouse
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
masked: no
|
||||
state: started
|
||||
@@ -0,0 +1,11 @@
|
||||
---
|
||||
- name: Install Nebula on all hosts
|
||||
include: nebula.yml
|
||||
|
||||
- name: Deploy Lighthouse
|
||||
include: lighthouse.yml
|
||||
when: inventory_hostname in groups['nebula_lighthouse']
|
||||
|
||||
- name: Deploy Nebula Node
|
||||
include: node.yml
|
||||
when: inventory_hostname not in groups['nebula_lighthouse']
|
||||
@@ -0,0 +1,25 @@
|
||||
- name: Ensure /opt/nebula directory exists
|
||||
file:
|
||||
path: /opt/nebula
|
||||
state: directory
|
||||
mode: '0700'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
# TODO: Detect cpu arch correctly
|
||||
- name: Download & Extract Nebula
|
||||
unarchive:
|
||||
src: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-{{ cpu_arch | default('amd64') }}.tar.gz"
|
||||
dest: "/opt/nebula"
|
||||
remote_src: yes
|
||||
creates: '/opt/nebula/nebula'
|
||||
|
||||
- name: Ensure Nebula binaries permissions are correct
|
||||
file:
|
||||
path: "/opt/nebula/{{ item }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0700'
|
||||
with_items:
|
||||
- nebula
|
||||
- nebula-cert
|
||||
@@ -0,0 +1,77 @@
|
||||
- name: Ensure a cert/key exists for each node on lighthouse
|
||||
command:
|
||||
chdir: /opt/nebula
|
||||
cmd: ./nebula-cert sign -name "{{ inventory_hostname }}" -ip "{{ nebula_internal_ip_addr }}/{{ nebula_network_cidr }}" -duration "{{ nebula_client_cert_duration }}"
|
||||
creates: "/opt/nebula/{{ inventory_hostname }}.crt"
|
||||
delegate_to: "{{ groups.nebula_lighthouse[0] }}"
|
||||
|
||||
- name: Ensure lighthouse has hosts file entry for node
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
line: "{{ nebula_internal_ip_addr }} {{ inventory_hostname }}.neb"
|
||||
delegate_to: "{{ groups.nebula_lighthouse[0] }}"
|
||||
|
||||
- name: Ensure node has hosts file entry for lighthouse
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
line: "{{ nebula_lighthouse_internal_ip_addr }} {{ nebula_lighthouse_hostname }}.neb {{ nebula_lighthouse_hostname }}"
|
||||
|
||||
- name: Read cert/key from lighthouse
|
||||
slurp:
|
||||
src: "/opt/nebula/{{ item }}"
|
||||
register: lighthouse_files
|
||||
delegate_to: "{{ groups.nebula_lighthouse[0] }}"
|
||||
with_items:
|
||||
- "{{ inventory_hostname }}.crt"
|
||||
- "{{ inventory_hostname }}.key"
|
||||
- ca.crt
|
||||
|
||||
- name: Ensure Cert, Key, CA files exist
|
||||
copy:
|
||||
dest: "/opt/nebula/{{ item['item'] }}"
|
||||
content: "{{ item['content'] | b64decode }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
loop: "{{ lighthouse_files.results }}"
|
||||
loop_control:
|
||||
label: "{{ item['item'] }}"
|
||||
|
||||
- name: Ensure Nebula is configured
|
||||
template:
|
||||
src: node_config.yml.j2
|
||||
dest: /opt/nebula/config.yml
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0400'
|
||||
notify: Restart Nebula
|
||||
|
||||
- name: Ensure Nebula service exists
|
||||
template:
|
||||
src: node.service.j2
|
||||
dest: /etc/systemd/system/nebula.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0644'
|
||||
|
||||
- name: Ensure Nebula service is enabled and running
|
||||
systemd:
|
||||
name: nebula
|
||||
daemon_reload: yes
|
||||
enabled: yes
|
||||
masked: no
|
||||
state: started
|
||||
|
||||
- name: Ensure nebula-check is present
|
||||
template:
|
||||
src: nebula-check.sh.j2
|
||||
dest: /opt/nebula/nebula-check.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
|
||||
- name: Ensure nebula-check is scheduled via cron
|
||||
cron:
|
||||
name: "nebula-check"
|
||||
minute: "*/5"
|
||||
job: "/opt/nebula/nebula-check.sh"
|
||||
Reference in New Issue
Block a user