-
Notifications
You must be signed in to change notification settings - Fork 134
/
Copy pathprovision.yml
136 lines (130 loc) · 3.87 KB
/
provision.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
- hosts: all
gather_facts: false
become: true
become_user: root
pre_tasks:
- name: Run apt-get update
raw: sudo apt-get update -y
- name: Install python
raw: sudo apt-get install -y python || sudo apt-get install -y python3
- name: Install ping
raw: sudo apt-get install -y iputils-ping
- hosts: all
tasks:
- name: Check if /etc/ansible/ring exists
stat:
path: /etc/ansible/ring
register: etc_ansible_ring
- name: Ensure an existing host is not provisioned
fail:
msg: This host is already provisioned!
when: etc_ansible_ring.stat.exists
- hosts: all
tasks:
- name: Check IPv6 connectivity
tags: check_v6
command: ping6 -c 1 ring.nlnog.net
register: check_v6
when: hostvars[inventory_hostname]['V6'] is defined
- fail:
msg: Could not ping ring.nlnog.net (IPv6)
tags: check_v6
when: check_v6.rc != 0 and hostvars[inventory_hostname]['V6'] is defined
- name: Check IPv6 address count
tags: check_v6_count
shell: "ip -6 addr show scope global | grep -c 'inet6'"
register: check_v6_count
when: hostvars[inventory_hostname]['V6'] is defined
- fail:
msg: Multiple global IPv6 addresses found on node
tags: check_v6_count
when: check_v6_count.stdout|int > 1 and hostvars[inventory_hostname]['V6'] is defined
- name: Check CPU architecture
fail:
msg: Host is not an x86_64 system
tags: check_cpu
when: ansible_architecture != "x86_64"
- name: Check virtualization technology
become: true
become_user: root
tags: check_vm
command: grep -q container /proc/1/environ
register: check_vm
ignore_errors: True
- fail:
msg: LXC container nodes are not supported
tags: check_vm
when: check_vm.rc == 0
- hosts: ringnode
become: true
become_user: root
tasks:
- name: Load the vault passwords
include_vars: "vault/vault.yml"
tags: vault_pw
- name: Add the vault password
copy:
dest: /root/.vaultpw
mode: 0400
content: "{{ ringnode_vault_pw }}"
tags: vault_pw
- hosts: infranode
become: true
become_user: root
tasks:
- name: Load the vault passwords
include_vars: "vault/vault.yml"
tags: vault_pw
- name: Add the vault password (host-specific)
copy:
dest: /root/.vaultpw
mode: 0400
content: "{{ vars['host_vaults'][inventory_hostname] }}"
when: vars['host_vaults'][inventory_hostname] is defined
tags: vault_pw
- name: Add the vault password (generic)
copy:
dest: /root/.vaultpw
mode: 0400
content: "{{ infranode_vault_pw }}"
when: vars['host_vaults'][inventory_hostname] is not defined
tags: vault_pw
- hosts: all
become: true
become_user: root
tasks:
- name: Remove apparmor
apt:
name:
- apparmor
- apparmor-utils
state: absent
- name: Temporarily configure resolv.conf with public resolver (IPV6)
copy:
dest: /etc/resolv.conf
mode: 0644
content: "nameserver 2620:fe::fe"
when: hostvars[inventory_hostname]['V6'] is defined
- name: Temporarily configure resolv.conf with public resolver (IPv4)
copy:
dest: /etc/resolv.conf
mode: 0644
content: "nameserver 9.9.9.9"
when: hostvars[inventory_hostname]['V6'] is not defined
- hosts: all
become: true
become_user: root
roles:
- { role: etcfiles, tags: etcfiles }
- { role: apt, tags: apt }
- { role: resolving, tags: resolving }
- { role: ansible, tags: ansible }
- { role: users, class: ring-admins, tags: ring-admins }
tasks:
- name: Upgrade all packages
apt:
upgrade: dist
- name: Flush ansible handlers
meta: flush_handlers
- name: Reboot
command: /sbin/reboot