138 lines
4.2 KiB
YAML
138 lines
4.2 KiB
YAML
---
|
|
- name: Check if node certificate exists on primary lighthouse
|
|
stat:
|
|
path: /opt/nebula/{{ inventory_hostname }}.crt
|
|
delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
|
|
register: cert_stat
|
|
|
|
- name: Get information about existing certificate (if it exists)
|
|
command: "/opt/nebula/nebula-cert print -json -path /opt/nebula/{{ inventory_hostname }}.crt"
|
|
delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
|
|
changed_when: false
|
|
when: cert_stat.stat.exists
|
|
register: current_cert_json
|
|
ignore_errors: yes
|
|
|
|
- name: Parse the IP address from the certificate details (if it exists)
|
|
set_fact:
|
|
current_cert_ip: "{{ current_cert_json.stdout | from_json | json_query('details.ips[0]') }}"
|
|
when:
|
|
- cert_stat.stat.exists
|
|
- current_cert_json.stdout != ""
|
|
|
|
- name: Print IP address from cert (if one exists)
|
|
debug:
|
|
msg: "IP Address in Cert: {{ current_cert_ip }}, Expected IP Address: {{ nebula_internal_ip_addr }}/{{ nebula_network_cidr }}"
|
|
when: cert_stat.stat.exists
|
|
|
|
- name: Delete invalid node certificate and key from primary lighthouse (wrong IP address)
|
|
file:
|
|
path: "/opt/nebula/{{ item }}"
|
|
state: absent
|
|
delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
|
|
with_items:
|
|
- "{{ inventory_hostname }}.crt"
|
|
- "{{ inventory_hostname }}.key"
|
|
when:
|
|
- cert_stat.stat.exists
|
|
- current_cert_ip != nebula_internal_ip_addr | string + '/' + nebula_network_cidr | string
|
|
|
|
- name: Ensure a cert/key exists for this node on primary lighthouse
|
|
command:
|
|
chdir: /opt/nebula
|
|
cmd: >-
|
|
./nebula-cert sign
|
|
-name "{{ inventory_hostname }}"
|
|
-ip "{{ nebula_internal_ip_addr }}/{{ nebula_network_cidr }}"
|
|
-duration "{{ nebula_client_cert_duration }}"
|
|
delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
|
|
when: >-
|
|
not cert_stat.stat.exists
|
|
or current_cert_ip != nebula_internal_ip_addr | string + '/' + nebula_network_cidr | string
|
|
|
|
- name: Ensure primary lighthouse has hosts file entry for node
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
line: "{{ nebula_internal_ip_addr }} {{ inventory_hostname }}.neb"
|
|
delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
|
|
when: nebula_lighthouse_build_hosts_file
|
|
|
|
- name: Ensure all secondary lighthouses have hosts file entry for node
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
line: "{{ nebula_internal_ip_addr }} {{ inventory_hostname }}.neb"
|
|
delegate_to: "{{ item }}"
|
|
loop: "{{ groups['nebula_lighthouse'][1:] }}"
|
|
when:
|
|
- nebula_lighthouse_build_hosts_file
|
|
- groups['nebula_lighthouse'] | length > 1
|
|
|
|
- name: Ensure node has hosts file entries for all lighthouses
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
line: "{{ item.internal_ip }} {{ item.hostname }}.neb"
|
|
loop: "{{ _nebula_lighthouses_computed }}"
|
|
when: nebula_node_lighthouse_in_hosts_file
|
|
|
|
- name: Read cert/key/ca from primary lighthouse
|
|
slurp:
|
|
src: "/opt/nebula/{{ item }}"
|
|
register: lighthouse_files
|
|
delegate_to: "{{ groups['nebula_lighthouse'][0] }}"
|
|
with_items:
|
|
- "{{ inventory_hostname }}.crt"
|
|
- "{{ inventory_hostname }}.key"
|
|
- ca.crt
|
|
|
|
- name: Ensure cert, key, CA files exist on node
|
|
copy:
|
|
dest: "/opt/nebula/{{ item['item'] }}"
|
|
content: "{{ item['content'] | b64decode }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
loop: "{{ lighthouse_files.results }}"
|
|
loop_control:
|
|
label: "{{ item['item'] }}"
|
|
|
|
- name: Ensure Nebula is configured
|
|
template:
|
|
src: node_config.yml.j2
|
|
dest: /opt/nebula/config.yml
|
|
owner: root
|
|
group: root
|
|
mode: '0400'
|
|
notify: restart nebula
|
|
|
|
- name: Ensure Nebula service exists
|
|
template:
|
|
src: node.service.j2
|
|
dest: /etc/systemd/system/nebula.service
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
|
|
- name: Ensure Nebula service is enabled and running
|
|
systemd:
|
|
name: nebula
|
|
daemon_reload: yes
|
|
enabled: yes
|
|
masked: no
|
|
state: started
|
|
|
|
- name: Ensure nebula-check is present
|
|
template:
|
|
src: nebula-check.sh.j2
|
|
dest: /opt/nebula/nebula-check.sh
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
when: nebula_install_check_cron | bool
|
|
|
|
- name: Ensure nebula-check is scheduled via cron
|
|
cron:
|
|
name: "nebula-check"
|
|
minute: "{{ nebula_check_cron_minute | default('*/5') }}"
|
|
job: "/opt/nebula/nebula-check.sh"
|
|
when: nebula_install_check_cron | bool
|