From bc157da4625edfdafc6f008f8780d11dfdf67bd4 Mon Sep 17 00:00:00 2001 From: KemoNine Date: Tue, 4 Aug 2020 18:58:38 +0000 Subject: [PATCH] Further ansible updates --- ...ploy-controller.sh => deploy-wireguard.sh} | 2 +- ansible/{inventory-wireguard => inventory} | 20 ++++++++++-------- ansible/playbooks/setup-ansible.yml | 21 +++++++++++++++++++ .../wireguard.yml} | 1 + ansible/setup-ansible-host.sh | 4 ++++ piframefleet/Dockerfile | 2 +- piframefleet/root/etc/cont-init.d/00-welcome | 8 +++++++ piframefleet/root/etc/cont-init.d/30-config | 3 +++ 8 files changed, 50 insertions(+), 11 deletions(-) rename ansible/{deploy-controller.sh => deploy-wireguard.sh} (58%) rename ansible/{inventory-wireguard => inventory} (79%) create mode 100644 ansible/playbooks/setup-ansible.yml rename ansible/{playbook-deploy-controller.yml => playbooks/wireguard.yml} (72%) create mode 100644 ansible/setup-ansible-host.sh diff --git a/ansible/deploy-controller.sh b/ansible/deploy-wireguard.sh similarity index 58% rename from ansible/deploy-controller.sh rename to ansible/deploy-wireguard.sh index 6c25322..eeb2a14 100644 --- a/ansible/deploy-controller.sh +++ b/ansible/deploy-wireguard.sh @@ -3,4 +3,4 @@ # https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/ # https://github.com/githubixx/ansible-role-wireguard -ansible-playbook -i inventory-wireguard --skip-tags wg-install,bare-metal ./playbook-deploy-controller.yml +ansible-playbook -u ansible --private-key /opt/ansible/ssh.key -i inventory-wireguard ./playbooks/wireguard.yml diff --git a/ansible/inventory-wireguard b/ansible/inventory similarity index 79% rename from ansible/inventory-wireguard rename to ansible/inventory index 1f679dc..1e4fa4d 100644 --- a/ansible/inventory-wireguard +++ b/ansible/inventory @@ -1,16 +1,19 @@ --- +all: + hosts: + frame1: + ansible_host: 10.5.5.177 + dispatcher: + ansible_connection: local wg: hosts: frame1: - ansible_host: 10.5.5.100 wireguard_address: 192.168.254.11/32 - frame2: - ansible_host: 10.5.5.101 - wireguard_address: 192.168.254.11/32 - controller: - ansible_connection: local + dispatcher: + wireguard_containerized: true wireguard_address: 192.168.254.1/32 wireguard_endpoint: "" + wireguard_table: "Off" wireguard_postup: - ip route add 192.168.254.0/24 via 192.168.254.1 dev wg0 - iptables -t nat -A PREROUTING -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT @@ -26,7 +29,6 @@ wg: - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 192.168.254.0/24 -j ACCEPT - iptables -D -A INPUT -i wg0 -s 192.168.254.0/24 -d 0.0.0.0/0 -j DROP vars: - wireguard_allowed_ips: "172.16.8.10/24" - wireguard_endpoint: piframefleet.domain.tld + wireguard_allowed_ips: "192.168.254.0/24" + wireguard_endpoint: 10.5.5.246:51821 wireguard_persistent_keepalive: 30 - wireguard_table: Off diff --git a/ansible/playbooks/setup-ansible.yml b/ansible/playbooks/setup-ansible.yml new file mode 100644 index 0000000..5cee6bc --- /dev/null +++ b/ansible/playbooks/setup-ansible.yml @@ -0,0 +1,21 @@ +--- + - hosts: all + become: yes + tasks: + - name: Add ansible user to PiFrame + user: + name: ansible + groups: + - sudo + shell: /bin/bash + - name: Add ansible ssh key as authorized key + authorized_key: + user: ansible + key: "{{ lookup('file', '/opt/ansible/ssh.key.pub') }}" + - name: Setup ansible with sudoers access + copy: + dest: /etc/sudoers.d/ansible + mode: '0600' + owner: root + group: root + content: ansible ALL=(ALL) NOPASSWD:ALL diff --git a/ansible/playbook-deploy-controller.yml b/ansible/playbooks/wireguard.yml similarity index 72% rename from ansible/playbook-deploy-controller.yml rename to ansible/playbooks/wireguard.yml index 3e2a12b..2cde579 100644 --- a/ansible/playbook-deploy-controller.yml +++ b/ansible/playbooks/wireguard.yml @@ -1,4 +1,5 @@ --- - hosts: controller + become: yes roles: - wireguard diff --git a/ansible/setup-ansible-host.sh b/ansible/setup-ansible-host.sh new file mode 100644 index 0000000..c04077e --- /dev/null +++ b/ansible/setup-ansible-host.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +ssh $2@$1 'echo Just ensuring the ssh key is accepted ahead of configuration' +ansible-playbook ./playbooks/ansible-setup.yml -i $1, -u $2 -k diff --git a/piframefleet/Dockerfile b/piframefleet/Dockerfile index b8e0cc7..3c5a17d 100644 --- a/piframefleet/Dockerfile +++ b/piframefleet/Dockerfile @@ -41,7 +41,7 @@ RUN apt update && apt upgrade -y && \ echo "**** filebrowser ****" && \ curl -fsSL https://filebrowser.org/get.sh | bash && \ echo "**** ansible ****" && \ - apt install -y python3-apt ansible ansible-lint ansible-doc && \ + apt install -y python3-apt sshpass ansible ansible-lint ansible-doc && \ echo "**** cleanup ****" && \ rm /opt/arch_detect.sh && \ rm /opt/s6-overlay.tar.gz && \ diff --git a/piframefleet/root/etc/cont-init.d/00-welcome b/piframefleet/root/etc/cont-init.d/00-welcome index 8c98002..660819f 100755 --- a/piframefleet/root/etc/cont-init.d/00-welcome +++ b/piframefleet/root/etc/cont-init.d/00-welcome @@ -18,3 +18,11 @@ Service Status - FileBrowser : ${ENABLE_FILEBROWSER} ------------------------------------- " +if [ -f "/opt/ansible/ssh.key" ] ; then +echo " +------------------------------------- +Ansible SSH Key" +cat /opt/ansible/ssh.key.pub +echo "------------------------------------- +" +fi diff --git a/piframefleet/root/etc/cont-init.d/30-config b/piframefleet/root/etc/cont-init.d/30-config index 4a97793..b866d97 100755 --- a/piframefleet/root/etc/cont-init.d/30-config +++ b/piframefleet/root/etc/cont-init.d/30-config @@ -13,6 +13,9 @@ fi if [ ! -d "/opt/ansible" ] ; then mkdir /opt/ansible fi +if [ ! -f "/opt/ansible/ssh.key" ] ; then + ssh-keygen -t rsa -b 4096 -f /opt/ansible/ssh.key -N '""' +fi if [ ! -d "/opt/ansible/roles" ] ; then mkdir /opt/ansible/roles fi