forked from NLNOG/ring-ansible
-
Notifications
You must be signed in to change notification settings - Fork 0
/
provision.yml
124 lines (118 loc) · 3.37 KB
/
provision.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
- hosts: all
gather_facts: false
become: true
become_user: root
pre_tasks:
- name: Run apt-get update
raw: sudo apt-get update -y
- name: Install python
raw: sudo apt-get install -y python
- hosts: all
tasks:
- name: Check if /etc/ansible/ring exists
stat:
path: /etc/ansible/ring
register: etc_ansible_ring
- name: Ensure an existing host is not provisioned
fail:
msg: This host is already provisioned!
when: etc_ansible_ring.stat.exists
- hosts: all
tasks:
- name: Check IPv6 connectivity
tags: check_v6
command: ping6 -c 1 ring.nlnog.net
register: check_v6
when: hostvars[inventory_hostname]['V6'] is defined
- fail:
msg: Could not ping ring.nlnog.net (IPv6)
tags: check_v6
when: check_v6.rc != 0 and hostvars[inventory_hostname]['V6'] is defined
- name: Check CPU architecture
fail:
msg: Host is not an x86_64 system
tags: check_cpu
when: ansible_architecture != "x86_64"
- name: Check virtualization technology
become: true
become_user: root
tags: check_vm
command: grep -q container /proc/1/environ
register: check_vm
ignore_errors: True
- fail:
msg: LXC container nodes are not supported
tags: check_vm
when: check_vm.rc == 0
- hosts: ringnode
become: true
become_user: root
tasks:
- name: Load the vault passwords
include_vars: "vault/vault.yml"
tags: vault_pw
- name: Add the vault password
copy:
dest: /root/.vaultpw
mode: 0400
content: "{{ ringnode_vault_pw }}"
tags: vault_pw
- name: Remove apparmor
apt: name={{ item }} state=absent
with_items:
- apparmor
- apparmor-utils
- hosts: infranode
become: true
become_user: root
tasks:
- name: Load the vault passwords
include_vars: "vault/vault.yml"
tags: vault_pw
- name: Add the vault password (host-specific)
copy:
dest: /root/.vaultpw
mode: 0400
content: "{{ vars['host_vaults'][inventory_hostname] }}"
when: vars['host_vaults'][inventory_hostname] is defined
tags: vault_pw
- name: Add the vault password (generic)
copy:
dest: /root/.vaultpw
mode: 0400
content: "{{ infranode_vault_pw }}"
when: vars['host_vaults'][inventory_hostname] is not defined
tags: vault_pw
- hosts: all
become: true
become_user: root
tasks:
- name: Temporarily configure resolv.conf with public resolver (IPV6)
copy:
dest: /etc/resolv.conf
mode: 0644
content: "nameserver 2620:fe::fe"
when: hostvars[inventory_hostname]['V6'] is defined
- name: Temporarily configure resolv.conf with public resolver (IPv4)
copy:
dest: /etc/resolv.conf
mode: 0644
content: "nameserver 9.9.9.9"
when: hostvars[inventory_hostname]['V6'] is not defined
- hosts: all
become: true
become_user: root
roles:
- { role: etcfiles, tags: etcfiles }
- { role: apt, tags: apt }
- { role: resolving, tags: resolving }
- { role: ansible, tags: ansible }
- { role: users, class: ring-admins, tags: ring-admins }
tasks:
- name: Upgrade all packages
apt:
upgrade: dist
- name: Flush ansible handlers
meta: flush_handlers
- name: Reboot
command: /sbin/reboot