From 283a554b5ff76811e0492ad0307738b00bdcdf44 Mon Sep 17 00:00:00 2001 From: LH Date: Sun, 8 Oct 2023 14:55:21 +0200 Subject: [PATCH 01/11] feat: Github runners working --- .ansible-lint | 16 ++++ .gitattributes | 2 + .github/semantic.yml | 11 +++ .sops.yaml | 6 ++ .vscode/settings.json | 6 ++ ansible.cfg | 3 + group_vars/all/github-runners.sops.yml | 26 ++++++ group_vars/all/pve.sops.yml | 51 ++++++++++++ group_vars/all/pve.yml | 6 ++ group_vars/all/users.sops.yml | 32 ++++++++ host_vars/lab/ansible.yml | 2 + inventory.yml | 3 + node_modules/.yarn-integrity | 12 +++ package.json | 14 ++++ playbooks/_all.yml | 3 + playbooks/github-runners.yml | 37 +++++++++ playbooks/proxmox-vms.yml | 15 ++++ playbooks/proxmox.yml | 80 +++++++++++++++++++ .../templates/runners-docker-compose.yml.j2 | 37 +++++++++ requirements.yml | 21 +++++ tools/apply.sh | 27 +++++++ yarn.lock | 4 + 22 files changed, 414 insertions(+) create mode 100644 .ansible-lint create mode 100644 .gitattributes create mode 100644 .github/semantic.yml create mode 100644 .sops.yaml create mode 100644 .vscode/settings.json create mode 100644 ansible.cfg create mode 100644 group_vars/all/github-runners.sops.yml create mode 100644 group_vars/all/pve.sops.yml create mode 100644 group_vars/all/pve.yml create mode 100644 group_vars/all/users.sops.yml create mode 100644 host_vars/lab/ansible.yml create mode 100644 inventory.yml create mode 100644 node_modules/.yarn-integrity create mode 100644 package.json create mode 100644 playbooks/_all.yml create mode 100644 playbooks/github-runners.yml create mode 100644 playbooks/proxmox-vms.yml create mode 100644 playbooks/proxmox.yml create mode 100644 playbooks/templates/runners-docker-compose.yml.j2 create mode 100644 requirements.yml create mode 100644 tools/apply.sh create mode 100644 yarn.lock diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..91295bc --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,16 @@ +exclude_paths: + - .cache/ + - .github/ + - node_modules/ + - "**/*.sops.yml" + - ".sops.yaml" + +use_default_rules: true + +skip_list: + - role-name[path] + - name[play] + - yaml[octal-values] + - yaml[new-line-at-end-of-file] + +offline: false diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..efa36a9 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,2 @@ +* text=auto,eol=lf +*.* text eol=lf \ No newline at end of file diff --git a/.github/semantic.yml b/.github/semantic.yml new file mode 100644 index 0000000..c0d538f --- /dev/null +++ b/.github/semantic.yml @@ -0,0 +1,11 @@ +titleOnly: true +types: + - feat + - fix + - docs + - refactor + - test + - build + - ci + - chore + - revert \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..870ea1c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + - path_regex: ".*\\.sops\\.ya?ml$" + # Workaround for https://github.com/mozilla/sops/issues/1103 where sops does not currently work correctly with age via YubiKey + pgp: 2D1D9C803F35BBC24014C3906601E1EB2454827F # lholota + age: > # GitHub + age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..d422c17 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,6 @@ +{ + "files.eol": "\n", + "files.exclude": { + "**/node_modules": true + } +} \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..c5770b4 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +vars_plugins_enabled = host_group_vars,community.sops.sops +timeout = 30 \ No newline at end of file diff --git a/group_vars/all/github-runners.sops.yml b/group_vars/all/github-runners.sops.yml new file mode 100644 index 0000000..734f761 --- /dev/null +++ b/group_vars/all/github-runners.sops.yml @@ -0,0 +1,26 @@ +github_runner_instance_count: ENC[AES256_GCM,data:mA==,iv:tZXyT9ZymWgL2FyK1mne0SJkoX7zK0RCAlLY0Og0R7g=,tag:bcKLeeC1OJXEEEWiGAML6Q==,type:int] +github_runner_image_tag: ENC[AES256_GCM,data:X9NC6rKM,iv:YeQgFHOj0gjTlK32GuMmBzY64y/3Kl57bCT2WyHBhxk=,tag:xONE6hc2fZopRANcdMMsdQ==,type:str] +github_runner_token: ENC[AES256_GCM,data:IMdt5UkiN14/sa2Mxzut0Gy8Wql9V8Ond/ogI66GDcnKguVaUPnOaiH+AvNX/3u5kj19s3XEFz5+5fVZHnTU2McjlbYDyH6HW0U4JlM0d7aoQQabn0TQzKgV1tbM,iv:v0vtvtTnpxUcew+2K29muaG45OEi5FD7CZA2D2hRXCQ=,tag:4hUPGmpyZKxi8Wy2F5eEzw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0V1Y1MlpUcWJ5YnVmK3Ji + SG9QRXVVcEpWbEp2T0haV3dpQ3lpYVpIZEQ4CmZ4M0ZRbWU0NUdWTDIxUVNKNk1R + Qk5GcTFLaW5lblMvMWFmZWl1L2ZzZW8KLS0tIEhsL3gva0oyNEhxZnJud2hMZFhh + Sm9NTXdMOXd0YWh2Z2VWbDdWWXFLQkUKon5P3KZOQFnWHAToI2efSTFLUMLdKCu4 + DquCDOmiRCidGzVooH2SKRoN5zF0B39UP9ww2uSxCL7UAIEWjQguMA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-05T13:12:40Z" + mac: ENC[AES256_GCM,data:mgY778ZTnRsD8kU+Dgwg1zowdcGJrAqJt12noQx5xMJzzzErr57zUUEYlg/jWlpRJYKjJVJBrmUNFX0myfIrNtNSdqgC3noArJi3Vin43PSBMDuVX3CcMyFWULNVUY9viG8STYX8ESLS3nEPE6nklbaA7zYVikvfEJFf4xyu5n8=,iv:BC1pBiZnS27KgGcUhWDfuXTXxJfydH/JL0Ji59KPqYQ=,tag:t9Xl+rKG4wJXhXAVthrAgg==,type:str] + pgp: + - created_at: "2023-10-05T13:12:35Z" + enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ/+IzFGsg0wMa0G+HjlZuMQLlRxLdl+HYltSS+R88Z36MOs\r\nW2zHCnMQMui3OdvDyOgc2wbd20v2Xf/8EQAlmrqdSFA6XVj5ypby+1fB/B0/NIs9\r\nC9Lw8JH58YrfW4nBQGcDEEMnfr4USp/29PHgpSI2N+I+T0iw0rMuy8d4ID9NpOs+\r\nnsnUupsB/mxgzDZ3mG+4DT/iiFDvegUmjZr2R3ZNxMWBghCO7qsA/h85mqKwLUeX\r\nAsh1TvHY8Wh02vK8RvmunOiABwyZuOwLVJUXP40TogEEADQFugIw66l1fGRv7QKD\r\nK051tBcYx0O1d31tt9tWX9oDPHlbSSWizY56rWORIeRr5um5BZ7qyQdCoxvYTUYw\r\nteDm39vekWbnyWIKFVutNcJYHjXUimpi4KUFIU+WIwn6lXj6PVBuMRwTrRlpc2Ti\r\nt6sxbKtb0ZixbevXMbrBcRWPvSaNuVwLxRLPN3s2ELf/dM2WdmGPUuUYQK1p9SyY\r\nULadjm/I0iRoPC8e+DDN2nqCCGpTSyaaGdkwmHrCuFIJF3oTH6Mc9qESgwmZKqHC\r\ndZiaxtkzG+Oup1QHCSwZJGYEVhtVf8qRCo4muf/A1Poe9BerHwQbv8wYazbs9kFw\r\nk0ViNdUrsR58JcftykA9MV3xtytcEsxd2F/A+p6+WH/3vM5fyvdWa50Jimzszz3S\r\nXAGxLP68inRZiLrcB3EJKlsb8rlaKqOoRqQyMIeV/+Gwn43pZsdFbI0RuOsjbxyd\r\nf0fwcJGXy5Uh9LJGmhiXCX1WSVSwvGFQQJUtBu+dPulfKC3hucAn7RdkQWG+\r\n=FtvM\r\n-----END PGP MESSAGE-----\r\n" + fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/group_vars/all/pve.sops.yml b/group_vars/all/pve.sops.yml new file mode 100644 index 0000000..7bff8bf --- /dev/null +++ b/group_vars/all/pve.sops.yml @@ -0,0 +1,51 @@ +pve_default_realm_name: ENC[AES256_GCM,data:VaNF,iv:DVu0ef1Uztb8CJa5PZwzcIKKflgHz1etLiCRu500/2Y=,tag:w2EjGnXsLZmDlIfDvJYKQA==,type:str] +pve_openid_realms: + - name: ENC[AES256_GCM,data:zGGc,iv:0jNuzM3ArlU4hwCB/iZiAvp0OhakmslXk3BJJH7gDLs=,tag:UwNFcC1+XOyb++U9PAtMog==,type:str] + display_name: ENC[AES256_GCM,data:yyHnasNbA8MRtUSigSqgmX6moiNXJQ==,iv:bb090tnAH+zJAbYsGnmaYcw8P96SyF+hvODpZOaSkeA=,tag:407MABcbQIHH9iPKX/OQnw==,type:str] + client_id: ENC[AES256_GCM,data:20D+eivXYYVILXY7HEMQER3/SIg7TC+aY43S/Qd6TPdJTnns,iv:g/XvmjeMWfyjW+azwP5TqYW7aD24FfKQa6Q8rZd5Z+Q=,tag:/Otg30gd56kT6bSp5VUAiw==,type:str] + #ENC[AES256_GCM,data:WtvK0zfpdO549d1cgQrKegV61wG6QL8JTLqjOygzyn3cWghH1jClTxcKUe91sfyVzDAyHsj4IcWe1avgUA==,iv:lf4BwAh7IiCBaeO0ZulhAX6/bSKdWEEDPhieA1ilG1I=,tag:eK8RHfG+4n9buk+IAkS3vQ==,type:comment] + client_secret: ENC[AES256_GCM,data:WOZ9jctar0KUz1tKRQNpAmm7JCx7zxfCKfjz29dI1uymoeZU2e1siw==,iv:91fCzkhl0wTrHP+WTvUTw+46kcJnfTo4mdnhZW8c+es=,tag:bIsabuf95zaLE3ajzkBpog==,type:str] + url: ENC[AES256_GCM,data:4f9BpFgZpbOXyIfNDN8dFVnQbTrvT/OhPo5zJ41F+4vHLLWFjDYboCztzaGYiLAdJ7314hX28iwKWX47OehDENuURvFwU0nBW2ND,iv:s704OZBU0ZGXP9efwmrD+SaGeqn79gVrYU9Jfi6MBYg=,tag:pGQM8/R4zNq6hidlYWsAgA==,type:str] + #ENC[AES256_GCM,data:bqetwB8Qqk7uiXisMDTStIR12zsA94YGdJz9i5UC3Yi7zNTHLwQD7FnA4d2IuqXNTG8C3J0Hyvc=,iv:nRjLWXa/EdNidmiyN4AmwzWC+eZOT2rE+JpnZBQdops=,tag:jewew45mABmLbnxHuPQ21g==,type:comment] + autocreate_users: ENC[AES256_GCM,data:1HuCqWk=,iv:rtginL+v6lEvi76v0AOIv5OQTSNOEdoB4BYydvhMYN4=,tag:w0y0AJQRewa8l0uax4PXow==,type:bool] + username_claim: ENC[AES256_GCM,data:fMhAm2o=,iv:lxP7RfJWSkjg6TufNRbVe/1b4BBQUOrPD7Eyvi+cnpw=,tag:3cf4fN3bZwJM/W/4qdIsrQ==,type:str] + scopes: ENC[AES256_GCM,data:OImqiLjLt09kLopZ,iv:Bskb38n6BPvTMOkyBIOcVFo9ZtaG0LGmkUE/w8Pm4W8=,tag:gpI1Uut6dCMAXAyv9KItvw==,type:str] +pve_users: + - username: ENC[AES256_GCM,data:ABDuQALMn070XD45JuA=,iv:16wDOq/kfG1dK9WvToZahyJcuMFeAyBPJZiX0OzGJ3Y=,tag:ZiqWSx5wQ+PVV7rYwSkdmQ==,type:str] + realm: ENC[AES256_GCM,data:/+w4,iv:9vDN62iMqM+XRGX+sUlOnefbneHsd4q1JzUNd1mSMqw=,tag:C3Bfcq7Oh+iQQQ6BAVLSAw==,type:str] + enabled: ENC[AES256_GCM,data:F8JCHQ==,iv:AknFOkLxLv1wqIkBrMQgwLVpEbGy22qEvqqIaWqmg7E=,tag:sYyy07B0snxg453bQMPIEw==,type:bool] + first_name: ENC[AES256_GCM,data:Dxf1zN4=,iv:jnPMKEVCr8xF+Uy2BRY+bBvKPWaQ0declhPJgayRK4c=,tag:y1r0wWkYxJvTXrgAFaLt3A==,type:str] + last_name: ENC[AES256_GCM,data:1Mdn/xRX,iv:SaT+uhC4T3cix49p1spajpTiI4tLyIfmHzgu79PGsAQ=,tag:zavT+nukkBBYkF/GweFwfw==,type:str] + email: ENC[AES256_GCM,data:w+13Jxnv92qB6Nlx0E8=,iv:QFCrWOU5qqX4CeAG0n6AO0VVKc1v/b943935CrVrqKQ=,tag:GtsM5Pg/KNYG9JAH5SfJMw==,type:str] + permissions: + - scope: ENC[AES256_GCM,data:2g==,iv:YGysrUjFdMab+YRdVtF+TPAXQLt4fUiqGPYlvqfWvIQ=,tag:Q6PKOSR6/34MlQOaCP2GFg==,type:str] + roles: + - ENC[AES256_GCM,data:bvbayW6px4Tx2Giwmg==,iv:ynxcFRnlP0uQns1WTL6foZa9uximXYFUyfh8QvD6fDc=,tag:Fatc5DFno63mrdP38U2iHw==,type:str] +pve_acme_use_staging: ENC[AES256_GCM,data:Hk4o9yM=,iv:Y3gF6X2rirLAPisoLS3PaZ3Fy+q3qKBVlinPHtK/fd4=,tag:Lv0G5vsCfoIpuupzO+3CZw==,type:bool] +pve_acme_account_email: ENC[AES256_GCM,data:VUvuXLeyKqimSF7dfB6kHSQIIoAFnw==,iv:1glnIQjt+52+2APzH33dJPjuwhFdgskGHmpKaaFpzHc=,tag:fFtec+dCuZfHuI18kywLIw==,type:str] +pve_acme_root_domain: ENC[AES256_GCM,data:A8aPzVGw7Ezh7WboLg==,iv:6KhF6CZuaY0TCJfhw/Rr7p4w8dSsWFzR5hRqRUmZZrE=,tag:8Vw0Ux6fDkddV8s4RcoOZA==,type:str] +pve_acme_cloudflare_account_id: ENC[AES256_GCM,data:pD64wGiTCe9uUynC3QoOn5o89nIZeW372cw5Ab6ubHQ=,iv:1lJyedTuv6ZTVEV1XTQHcG60VxuL4gCSNvA6qR/eWz4=,tag:wf/hZVjMfCo6RySsTGkKYQ==,type:str] +pve_acme_cloudflare_token: ENC[AES256_GCM,data:5xfnW6DLZP5KiUoQYMLNkqchEuAXuiGwGhRji0nRc5Yd9j5o2PDV0g==,iv:5vHgV5af28yKUrn2D5zdoTpg2gwYpz1ZkgHWMFcSqPc=,tag:ygC9EFX7mY4XG1t9ZcYr+w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTN0d5VVRWc0lZMnNHV3Zt + cEJRemxSb1dBb2ppaWY5YTJGUEVtZENJVXhBCnFLcG4yOC9EYWFqcW1tZHRWenlz + UGUyK3N5ZGhnSFNqVUgralBPMEMvOUEKLS0tIEU4cUhkN0txVCtGQnA3aXhpVXd6 + cWZDTjRmQUNqeFFXWVFXYzZaRzRhOWcKhATORzCnrd5mZuSiMZGEuLrk2I8ZSfYU + afoukYbYCKvISAZR2YXMhD5hNhifgRD+/SS48e7S5CqqBrMoxP4x7w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-05T10:26:27Z" + mac: ENC[AES256_GCM,data:W6aLSZqH+dsUyyLXMtV7YsnCTDz0LxB5LkqFJGABuexPfqKgHn0P3ZjWSH35l1EoOi4sHQeS2PdvbNiUbSalZ6fG/vhz/VRoQ6ii2cFBPwuHjIYXSAFL9Ed0OxuoS8HxpJ3x25BhHY54rhOwpgWXiwcJ64KhhQrWH9+XULGZ1+I=,iv:RsPTNog+rZTe8lWNjxoOd+1c86d1gVxU99ByXF3/ZD8=,tag:bZJF7vo1lHEIlCPhOQbXAQ==,type:str] + pgp: + - created_at: "2023-10-04T19:45:00Z" + enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CARAAgZKyxWvK6kxZkb2+5h0VV6tMkOxXRDh3iSdCAgUxXHF8\r\nDuu+ZL8CRHLhtmojeAEuehjlolvRczzMYCroxsV5USokfQbANIAk3f+K/EnSvak6\r\nlHyJ3QLcJCHfMbGQDRScFAJmog9py+3y8UPgxMSFePUpwLgbXXDLljBLoaNsGpcq\r\nBq4m4VuEOq8BiRV/MdH3y4/GhIX7F3ywC9f1D/LsjluYRy2+K9X+7xFPolxSR0cM\r\n3FKNvK49rloLjf9uZEVfZ3aGdE5qGn5AJnHRyPidgbk/x8NlOf2g5jTQ4oZfxJrj\r\n5y2FzRjitJl8P6nHYua0lIZkTUED6PCiC2X8SJSajXArerNkMRBKTGb7XTHKZdcT\r\ntey4FiDsTsVPHhGmW1fZ63byILRckDlLgsr7ZEceNWP+rPSVjSH3R5YWuAAjBY2G\r\n3718eLw50naVCnrZ4mMh05gRuAM9MKVhASRFKBKT+5H14Rhc7cT7o0oC2qITsNu1\r\n7I8lhnzutXZmK9ni1g2oB5tjuq2y/cBp0jFR9gMg+usdcZWyeVtNUzKaADe7YCdG\r\nLj59xNL9Pk825CVHwjfnfyb4qbpM8FMW8VX5y8obq0MSdRZPDnMcTiCQk1stmZ6M\r\nWsM8q/Ge899j7uyqZUZiynlE9tW3FvQ5tFPyArjd76Zuuve9WRr5tRe75oYmd+PS\r\nXgHxdN2eUYZlyR0na36CvPP7sO/B1rjbhw1JlaaN5qDiy/2WyJKNd/8vtldEut9O\r\n9JUULZ9WXzqcsBugzWI5FwRlYx9Rq9o0xSIjFjTFEuNvNLzqbJTXtSqfkIRin7Y=\r\n=yq0q\r\n-----END PGP MESSAGE-----\r\n" + fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/group_vars/all/pve.yml b/group_vars/all/pve.yml new file mode 100644 index 0000000..370d55a --- /dev/null +++ b/group_vars/all/pve.yml @@ -0,0 +1,6 @@ +pve_zfs_max_arc_size_gb: 1 + +# This creates a circular dependency, but alert e-mails from lab do not really matter +pve_smtp_host: 10.1.8.130 +pve_smtp_port: 25 +pve_smtp_tls: false \ No newline at end of file diff --git a/group_vars/all/users.sops.yml b/group_vars/all/users.sops.yml new file mode 100644 index 0000000..ba8e7e8 --- /dev/null +++ b/group_vars/all/users.sops.yml @@ -0,0 +1,32 @@ +users_root_password: ENC[AES256_GCM,data:Eb5HH1DqzAGiRysqOL+A6BfQbKww9yF8rg5d,iv:ihevurlTyUflTXL1gHQalEshwJ722M2oSqwjNeSz6dg=,tag:e4/hhNHNC8JNn3Vx/X7UJA==,type:str] +users_root_password_salt: ENC[AES256_GCM,data:YkeDIcyEnk4OMH905uPjtQ==,iv:FR3uqi4fRdS+siGEELCoEtF6kJlmMwHgkQ6XYboLAd8=,tag:hYAwVJF7QZlDeaHxg+z3mw==,type:str] +users_admin_users: + - username: ENC[AES256_GCM,data:FO5+NoVGEQ==,iv:hAtARX0AlK3iK3MKSVKaFMzJEisIV40h5jf4bm7eF2s=,tag:pINymyHTxG+42OQK2IicLg==,type:str] + public_keys: + - ENC[AES256_GCM,data:+UB+z2arGXP6jBIih/jcLEefJ7hXG1QvH/85Tl1Jg8V9PV1GwEkNsknVuaG1Hq8dzNyoBA8KYSEweazop1c2+iFszmGjcbo9RTcnlEkkirvDGNIFQYmx1Hyh2hPtcEQvpwZNp8mtTvFYIM6f2QGEhbbyPfG3LUoFdOygOeymGmpd2J3tLunGLIFc3eZSN+2FfF4ny1nzxKVkJWCKIAqOavDC1P4TMwq5CtYFBLhZXCKWWip8rj9mLpTKw+vur06T/5DqhkxEqth87pSCtHaHbD1pIOcUq/uRwG27OBzIbMAuqBesSw6wvYIGh1pA1NTbUaKAsFF4VGrHMylAGj0fEJZXnNEm0kjXIpp2vrcYMCxbe3txjYgfgIJlfGieBwAaaLXalcDz/+HuVBcPUVLfZRoybVvrM55ap1WCkl841y2+CPrP+q4vQpYdH4a+zV2zFa2KHMa79EpJGbmRtVNFi+KgvrVsnIkOAUx/7g7/Lr46ZaqIHYTh14AF+hBcZSzkqB3j/h3Y55QpRiz6yd4pNPmYGkdBubHKGtSQM3WrG1QQn1iWUDSQtgYjyecOKUNt4APPv68UUgHiwrPltX1wB3UiSsA8Cvfy9eKgMIXMppAKhrA/3bBLQ4gNoaqlZv2MjpkjS1/ytpdl9L/oQnfCRTWRFzVHDg9lN2CetciOpdt5vRp88Ffqh8BPvpxMVcIHEWNEU5B8+rWCZJmoY2oomlLgvQhTEW/l6pFERj/c7yHX3HlpzZpVVnN3L2CmqECLHB6/ctsbOMM/aOWZ1QY2EwcUrn3GimMXP+V6timo02fK/Py40K0Kg0+g01uod64eEQdE5kXYPpcoyGmXwlWwtbTmWbrr4BDYXSwqmOVuWa6XR6wiKZdCWh+5AgGle0LUl0svlYnwhEFqvW05PilClfaqr6LA4tljv09sLTebIxesBEzznXqoMLvuYgPl0dCdPGuU7w==,iv:mU2knJRN+ZdF+ZPjrSAFvqxDggjFh4Bxqe0l5glbD/k=,tag:TwCsKM4cNHak9cQvtYP71g==,type:str] + - ENC[AES256_GCM,data:dnBnPv/vriHS9EtoAdRpXAmnBAEUSEZYuThiAlKDSyXKjAEoIhSWy9YgNvHkCIiS3Ey8OqOpHzJC6LcDa5J14X7oCtMZAlQpWuEi4K3sj7LZmD7Ddx376t+wEDWabrDy2oAQJ/WAyIbXe12yTSAJR6toBegU5IuIYJ/tixB6ylhIMwJUcHEmG2o+br5HndlNfjtWN2YDYF5ELgTgVJFpih5vZJQjfyqzat6XV0tRPGv05gun1bveYwlYLErUeSyNugGfDDCuPM+M62egYb1U2u8Yyed8sGyx3QnwVGUY72bhPVLOx1ORb4pkLfd9Pux/ssu8lGZT3kCuJQVkiFZK9pxTaFz3qDQsX8nqMWBM5LpHGpKMDrzBzeleTarwD4L8+xPvr2qzBlrEWFZW3IPBtGyW7+qv0mggjzDXMhf2ZWV8jwUkm7shPK5D38dqqeLkPwKZkNtcZDQIBO3xYcSEvdr5Rb9rOZYiMhGQw0JT8RNinb/WrFCd0cCzjuxgL/L7+b6e7fxJTFg3jz2xF4knRrqqPZigrWf5Nyu3Ki0LN8v8N/nLOl90xE9teuOoD9vOfOUMxCO6vKZmZYdK7BgRGDVimMf+BvuMjUyyC2ioMYfSWRznwmlYml98Czm1keUTUjWd5T6WLbOFUnCYW2+CcAMlo0+JVwHJCsOkG+e5XgzQp/i/ukBPI6a2LIPV+mZcmxQdLWxzLbz0NY+cwhlt1UTgrIHEBaLktikTTtrLVwDl7h+6IxhpuKm5nDR0g7cLcMz9LaMuE3TYh/s45Qbel3skZA4ZS9aPkihDke59Bn5lIBCdrrnRCESBmX/BxX/BQ5w6+EA1ha6kGSsIKVwDZrdJ5H33kSkRfGlFkAZjwgFG+Pjn9BSlujkcZkkZ+gv8KK/56EjI7TIPh8xm3/+G9HruBCSeebnl31ktAF9Gd8EBIktTZOJ/uQp1d0U0yNd9xHmEvE2/HRagg71cuoEcEtM9fQ==,iv:yVR1Mekp2XmGUtdN8QakgRi4EfSy5sqx4TBHyRGQick=,tag:8qFbLqSw4J4g4t7zW73gtA==,type:str] +ssh_allowed_users: + - ENC[AES256_GCM,data:BFTfTztNtw==,iv:qdNkFeKIijwKUi02P/TsZQtRWHbG1MDia+MjMBGMmxY=,tag:K9W8rJ8c7G+1IZlg14FnNQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1zw6c356patclh7q8cq5a99cghpzmnufgtwfaa0tmcg87a038d9ms4xpytn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmckpueU1CS1czN0tJWjBu + dnR1K2E0UktjSHFTZU1YdXI3bS9YYkY4VlQ4Ckk2bUY3RjZFODVJSVlsU0lxTjJz + UmZyNlJ1VFlIYnJIOGNIb2pnelA1WlUKLS0tIG1KWE5rWVpIallWNmw2RHR3VUNJ + aitTaEtqVlNVcWQ0Q2FoTkhLU2JiQ2MKhpD/ZMV7OFJ4Y2hguan6qQ++RyzMHp29 + zLMvVALHfQbBPEHp5rz5RrusdivpM+euOSC9/VzyRtrfpIFTA6PIEA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-04T13:40:39Z" + mac: ENC[AES256_GCM,data:/VeY/oouT354/D0z3XYsMRHFQov5zDdodqCZnzI5AJf3wgnAI+Hm5aCSYTo8oQ++53pVO60bm5UdboMrEPvldwBwic8Gbkg4Ok088qrbsfByBdG6KMWGqXRF5YJ4r+dYr66ePsc/jpFs+6Vla88PDSvbKqa3Y1L2evITlKtOmWA=,iv:9zSssWzuqZ2uluRxPrlSDtg9+AB9E88tsqr73NyaMdY=,tag:J2Voxj0gsc5rJ68Uv8wwwQ==,type:str] + pgp: + - created_at: "2023-10-04T13:39:41Z" + enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ/+KJBiy37oLCInVze3SY8J9GHr+mii9dJ3ZmFIALmo5a/5\r\nWpedezSIVplYGfbmHIKYpM0wPs0Ym0iBgwkXxs4+DlZ2yoOTaVUXph5zBLIKUOV4\r\nINHaEiinuc5FmMxZ50Yigsy5Nye77uEa9sFdcThlszPjiWyH6taJxtwBU30WdAaa\r\nDA28U3yUbKoEAjPnu0au1karZ6sWaOdRgIczTsovWV5d/PUJGvduyTxWlNbwRfoH\r\nKnGJxlpwZLoBr6dabt9lcC57SVKlmsuxQQ1h5f09vustZ+LTLDn5MQX6RurRof/F\r\nNHD1dWLKo4N8JcvNDFdW7RQd2UGQkGBf3v7UfLTmDg8qbwb0TcOjYtrJEx8oJNjF\r\nsKPq8BzrYc+tCtYNiVPLx3B0pNrmLJvQngQGfbmcQwr8uFCd/aFYlYBk3yijv5mr\r\nrGXEeeCkXWdOXapHYR2A9jBKIyM5sU1ouqH92DqWsGJX/K1WSWeT3liRu54bGEVR\r\n8RGCq6j6h2LwuGPf8JiMuayXLlR+tvH7SL7ssustLU6o7YyX2aRCD4jhkgpP762r\r\nrewYjOAiNPHiD0p/eeSxsUm/buacP1P5hergFi1I1FNvvthGzrH0rblw6dg0txA0\r\nlNIaisp2GakZXAIO/TRFh7Nne1idGu0FFmnTdH0Y95+hdYlB/qdtcGB2MxhLyHvS\r\nXgFxXbHwwOuTc48gvikKlsg08JU00Rl8mR9OayVa89HeTRL/3ty+QYCWWDOy92No\r\nU1Vn9xvlYN/OrtEHnYOvDNtQ3yZs+5EPY27HhauqrP+la70K2HNU7M7nJNomk3o=\r\n=acgc\r\n-----END PGP MESSAGE-----\r\n" + fp: 2D1D9C803F35BBC24014C3906601E1EB2454827F + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/host_vars/lab/ansible.yml b/host_vars/lab/ansible.yml new file mode 100644 index 0000000..a0b455a --- /dev/null +++ b/host_vars/lab/ansible.yml @@ -0,0 +1,2 @@ +ansible_host: 10.1.8.10 +ansible_user: lholota \ No newline at end of file diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..643a2b5 --- /dev/null +++ b/inventory.yml @@ -0,0 +1,3 @@ +all: + hosts: + lab: \ No newline at end of file diff --git a/node_modules/.yarn-integrity b/node_modules/.yarn-integrity new file mode 100644 index 0000000..19ce570 --- /dev/null +++ b/node_modules/.yarn-integrity @@ -0,0 +1,12 @@ +{ + "systemParams": "linux-x64-108", + "modulesFolders": [ + "node_modules" + ], + "flags": [], + "linkedModules": [], + "topLevelPatterns": [], + "lockfileEntries": {}, + "files": [], + "artifacts": {} +} \ No newline at end of file diff --git a/package.json b/package.json new file mode 100644 index 0000000..5e232b1 --- /dev/null +++ b/package.json @@ -0,0 +1,14 @@ +{ + "name": "@homecentr/platform", + "version": "1.0.0", + "repository": "git@github.com:homecentr/platform.git", + "author": "Lukas Holota", + "license": "GPL", + "private": true, + "scripts": { + "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint", + "setup:local": "ansible-galaxy install -r ./requirements.yml", + "init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh proxmox -u root -e ansible_user=root --tags init -k", + "apply": "./tools/apply.sh" + } +} \ No newline at end of file diff --git a/playbooks/_all.yml b/playbooks/_all.yml new file mode 100644 index 0000000..1b77cfe --- /dev/null +++ b/playbooks/_all.yml @@ -0,0 +1,3 @@ +- import_playbook: proxmox.yml +- import_playbook: github-runners.yml +#- import_playbook: proxmox-vms.yml \ No newline at end of file diff --git a/playbooks/github-runners.yml b/playbooks/github-runners.yml new file mode 100644 index 0000000..2b8b2a7 --- /dev/null +++ b/playbooks/github-runners.yml @@ -0,0 +1,37 @@ +- name: Install and configure self-hosted GitHub runner containers + hosts: all + become: true + become_method: ansible.builtin.sudo + any_errors_fatal: true + tasks: + - name: Install Docker + ansible.builtin.import_role: + name: geerlingguy.docker + vars: + docker_install_compose_plugin: true + tags: [ docker ] + + - name: Load groups + ansible.builtin.getent: + database: group + split: ':' + key: "docker" + + - name: Set docker group id to facts + ansible.builtin.set_fact: + docker_gid: "{{ ansible_facts.getent_group['docker'][1] }}" + + - name: Install required python packages + ansible.builtin.package: + name: + - python3-docker + - python3-compose + state: present + + - name: Set up runners compose stack + community.docker.docker_compose: + project_name: github-runners + definition: "{{ lookup('template', 'templates/runners-docker-compose.yml.j2') | from_yaml }}" + recreate: always + state: present + # state: absent diff --git a/playbooks/proxmox-vms.yml b/playbooks/proxmox-vms.yml new file mode 100644 index 0000000..f277401 --- /dev/null +++ b/playbooks/proxmox-vms.yml @@ -0,0 +1,15 @@ +- name: Create virtual machines for Lab cluster + hosts: all + become: true + become_method: ansible.builtin.sudo + any_errors_fatal: true + tasks: + - name: Download iso image + # TODO + + - name: Create storage network + # TODO: Use block in file + + - name: Create lab cluster node VMs + # cpu type = host to enable nested virtualization + # mount iso as DVD diff --git a/playbooks/proxmox.yml b/playbooks/proxmox.yml new file mode 100644 index 0000000..eafc470 --- /dev/null +++ b/playbooks/proxmox.yml @@ -0,0 +1,80 @@ +- name: Proxmox Virtual Environment Configuration + hosts: all + become: true + become_method: ansible.builtin.sudo + any_errors_fatal: true + tasks: + # Must run before users to make sure the apt repositories are configured in order to install sudo + - name: Configure Proxmox VE specific components + ansible.builtin.import_role: + name: homecentr.proxmox.pve_apt + tags: [ init, pve-apt ] + + # Root's password must be set so that it can be used to communicate with Proxmox API + - name: Create users + ansible.builtin.import_role: + name: homecentr.system.users + tags: [ init, users ] + + - name: Configure proxmox user permissions + ansible.builtin.import_role: + name: homecentr.proxmox.pve_users + tags: [ init, users ] + + - name: Install and configure Chrony + ansible.builtin.import_role: + name: homecentr.system.chrony + tags: [ chrony ] + + - name: Configure ZFS + ansible.builtin.import_role: + name: homecentr.system.zfs_configuration + tags: [ zfs-config ] + + - name: Install benchmarks + ansible.builtin.import_role: + name: homecentr.system.benchmarks + tags: [ benchmarks ] + + - name: Configure MOTD + ansible.builtin.import_role: + name: homecentr.system.motd + tags: [ motd ] + + - name: Configure SSH + ansible.builtin.import_role: + name: homecentr.system.ssh + tags: [ ssh ] + + - name: Configure corosync fix + ansible.builtin.import_role: + name: homecentr.proxmox.pve_corosync_fix + tags: [ pve-corosync ] + + - name: Configure https port forwarding + ansible.builtin.import_role: + name: homecentr.proxmox.pve_https_forward + tags: [ pve-https-forward ] + + - name: Configure PCI passthrough dependencies + ansible.builtin.import_role: + name: homecentr.proxmox.pve_pci_passthrough + tags: [ pve-pci-passthrough ] + + - name: Configure SMTP + ansible.builtin.import_role: + name: homecentr.proxmox.pve_smtp + tags: [ pve-smtp ] + + - name: Configure SSO via Open ID + ansible.builtin.import_role: + name: homecentr.proxmox.pve_sso_openid + tags: [ pve-sso-openid ] + + - name: Configure ACME + ansible.builtin.import_role: + name: homecentr.proxmox.pve_acme + tags: [ acme ] + + - name: Flush handlers before starting the VMs + ansible.builtin.meta: flush_handlers diff --git a/playbooks/templates/runners-docker-compose.yml.j2 b/playbooks/templates/runners-docker-compose.yml.j2 new file mode 100644 index 0000000..0a83999 --- /dev/null +++ b/playbooks/templates/runners-docker-compose.yml.j2 @@ -0,0 +1,37 @@ +version: '3.9' +services: +{% for i in range(github_runner_instance_count) %} + runner{{ i + 1 }}: + image: homecentr/github-runner:{{ github_runner_image_tag }} + restart: unless-stopped + user: "github-runner:{{ docker_gid }}" + # entrypoint: bash + # command: "-l -c 'sleep infinity'" + networks: + internal: + external: + environment: + GH_OWNER: homecentr + GH_TOKEN: {{ github_runner_token }} + RUNNER_NAME: "Homecenter-Runner-{{ i + 1 }}" + HOST_NAME: {{ ansible_hostname }} + HOST_IP: {{ ansible_host }} + volumes: + - /var/run/docker.sock:/var/run/docker.sock + extra_hosts: + - "host.docker.internal:host-gateway" +{% endfor %} + +networks: + internal: + driver: bridge + + external: + driver: macvlan + driver_opts: + parent: vmbr0 + ipam: + config: + - subnet: "10.1.8.0/24" + ip_range: "10.1.8.224/27" + gateway: "10.1.8.1" \ No newline at end of file diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..96d8587 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,21 @@ +--- +collections: + - name: ansible.posix + version: 1.4.0 + - name: oasis_roles.system + - name: community.docker + version: 3.4.8 + - name: community.general + version: 6.3.0 + - name: https://github.com/homecentr/ansible-collection-system + type: git + version: feat/zfs-usbhid + - name: https://github.com/homecentr/ansible-collection-proxmox + type: git + version: feat/v1 + +roles: + - name: geerlingguy.pip + - name: geerlingguy.security + - name: geerlingguy.docker + version: 7.0.1 diff --git a/tools/apply.sh b/tools/apply.sh new file mode 100644 index 0000000..82f2d01 --- /dev/null +++ b/tools/apply.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +printHelp() { + echo "Usage: apply " +} + +PLAYBOOK="./playbooks/${1:-_all}.yml" + +if [ ! -f "$PLAYBOOK" ]; then + printHelp + echo "Playbook $PLAYBOOK could not be found" + exit 2 +fi + +shift + +export ANSIBLE_CONFIG="./ansible.cfg" + +# Install Ansible dependencies (roles and collections) +ansible-galaxy install -r ./requirements.yml + +COMMAND="ansible-playbook -i inventory.yml $PLAYBOOK ${@:1}" + +echo $COMMAND + +# Execute playbook +eval $COMMAND \ No newline at end of file diff --git a/yarn.lock b/yarn.lock new file mode 100644 index 0000000..fb57ccd --- /dev/null +++ b/yarn.lock @@ -0,0 +1,4 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + From b0e1261f4b6c037018cac3ac01c91966c80af7f7 Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 9 Oct 2023 14:29:17 +0200 Subject: [PATCH 02/11] feat: Lab VMs --- group_vars/all/pve.yml | 9 ++- playbooks/_all.yml | 2 +- playbooks/github-runners.yml | 1 - playbooks/proxmox-vms.yml | 115 +++++++++++++++++++++++++++++++++-- requirements.yml | 2 +- 5 files changed, 120 insertions(+), 9 deletions(-) diff --git a/group_vars/all/pve.yml b/group_vars/all/pve.yml index 370d55a..7b01595 100644 --- a/group_vars/all/pve.yml +++ b/group_vars/all/pve.yml @@ -3,4 +3,11 @@ pve_zfs_max_arc_size_gb: 1 # This creates a circular dependency, but alert e-mails from lab do not really matter pve_smtp_host: 10.1.8.130 pve_smtp_port: 25 -pve_smtp_tls: false \ No newline at end of file +pve_smtp_tls: false + +pve_lab_vms_force_recreate: false + +pve_lab_vms_count: 3 +pve_lab_vms_os_disk_size_gb: 50 +pve_lab_vms_iso_url: https://enterprise.proxmox.com/iso/proxmox-ve_8.0-2.iso +pve_lab_vms_iso_checksum: sha256:e2b27648a8a91c0da1e8e718882a5ff87a8f054c4dd7e0ea1d8af85125d82812 \ No newline at end of file diff --git a/playbooks/_all.yml b/playbooks/_all.yml index 1b77cfe..011f94c 100644 --- a/playbooks/_all.yml +++ b/playbooks/_all.yml @@ -1,3 +1,3 @@ - import_playbook: proxmox.yml - import_playbook: github-runners.yml -#- import_playbook: proxmox-vms.yml \ No newline at end of file +- import_playbook: proxmox-vms.yml \ No newline at end of file diff --git a/playbooks/github-runners.yml b/playbooks/github-runners.yml index 2b8b2a7..969f438 100644 --- a/playbooks/github-runners.yml +++ b/playbooks/github-runners.yml @@ -34,4 +34,3 @@ definition: "{{ lookup('template', 'templates/runners-docker-compose.yml.j2') | from_yaml }}" recreate: always state: present - # state: absent diff --git a/playbooks/proxmox-vms.yml b/playbooks/proxmox-vms.yml index f277401..384f516 100644 --- a/playbooks/proxmox-vms.yml +++ b/playbooks/proxmox-vms.yml @@ -3,13 +3,118 @@ become: true become_method: ansible.builtin.sudo any_errors_fatal: true + handlers: + - name: Reload networking + ansible.builtin.shell: + cmd: ifreload -a + tasks: - - name: Download iso image - # TODO + - name: Install required python packages + ansible.builtin.package: + name: + - python3-proxmoxer + state: present + - name: Download iso image + ansible.builtin.get_url: + url: "{{ pve_lab_vms_iso_url }}" + dest: "/var/lib/vz/template/iso/{{ pve_lab_vms_iso_url | basename }}" + checksum: "{{ pve_lab_vms_iso_checksum }}" + mode: '0640' + - name: Create storage network - # TODO: Use block in file + notify: Reload networking + ansible.builtin.blockinfile: + path: /etc/network/interfaces + block: | + auto vmbr1 + iface vmbr1 inet static + address 192.168.7.1 + netmask 255.255.255.0 + bridge_ports none + bridge_stp off + bridge_fd 0 + + - name: Destroy lab cluster node VMs + when: pve_lab_vms_force_recreate + loop: "{{ range(0, 1, 1) | list }}" # TODO + loop_control: + index_var: index + community.general.proxmox_kvm: + name: "pve-lab-{{ index + 1 }}" + api_user: root@pam + api_password: "{{ users_root_password }}" + api_host: 127.0.0.1 + state: absent - name: Create lab cluster node VMs - # cpu type = host to enable nested virtualization - # mount iso as DVD + register: vm + loop: "{{ range(0, pve_lab_vms_count, 1) | list }}" # TODO + loop_control: + index_var: index + community.general.proxmox_kvm: + proxmox_default_behavior: no_defaults + node: "{{ ansible_hostname }}" + kvm: true + api_user: root@pam + api_password: "{{ users_root_password }}" + api_host: 127.0.0.1 + name: "pve-lab-{{ index + 1 }}" + protection: false + acpi: true + autostart: true + onboot: true + ostype: l26 + boot: "order=scsi1;scsi0" + bios: ovmf + startup: down=60 + # # required due to a bug: https://forum.proxmox.com/threads/kernel-panic-after-resizing-a-clone.93738/ + # # which causes kernel panic after resizing the os disk + serial: + serial0: socket + scsi: + scsi0: "local:iso/{{ pve_lab_vms_iso_url | basename }}" + net: + net0: "virtio,bridge=vmbr0" + net1: "virtio,bridge=vmbr1" + efidisk0: + storage: local-zfs + format: raw + efitype: 4m + pre_enrolled_keys: false + scsihw: virtio-scsi-pci + bootdisk: scsi1 + tablet: false + cpu: "host" # To enable nested virtualization + vcpus: "8" + sockets: "1" + cores: "8" + memory: "16384" + balloon: "8192" + state: present + + - name: Wait for VMs to be created + loop: "{{ range(0, pve_lab_vms_count, 1) | list }}" # TODO + loop_control: + index_var: index + community.general.proxmox_vm_info: + api_user: root@pam + api_password: "{{ users_root_password }}" + api_host: 127.0.0.1 + name: "pve-lab-{{ index + 1 }}" + + - name: Create cluster nodes OS disks + loop: "{{ range(0, pve_lab_vms_count, 1) | list }}" # TODO + loop_control: + index_var: index + community.general.proxmox_disk: + api_user: root@pam + api_password: "{{ users_root_password }}" + api_host: 127.0.0.1 + name: "pve-lab-{{ index + 1 }}" + disk: scsi1 + backup: true + cache: none + storage: local-zfs + size: "{{ pve_lab_vms_os_disk_size_gb }}" + state: present diff --git a/requirements.yml b/requirements.yml index 96d8587..5e9d7ab 100644 --- a/requirements.yml +++ b/requirements.yml @@ -6,7 +6,7 @@ collections: - name: community.docker version: 3.4.8 - name: community.general - version: 6.3.0 + version: 7.4.0 - name: https://github.com/homecentr/ansible-collection-system type: git version: feat/zfs-usbhid From 112ec7e9a15c2af22123beaf26dedfa7954d15eb Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 9 Oct 2023 16:12:43 +0200 Subject: [PATCH 03/11] feat: VMs working --- .ansible-lint | 1 + README.md | 28 +++++++++++++++++++++++++++- package.json | 3 ++- playbooks/_all.yml | 3 ++- playbooks/shutdown.yml | 12 ++++++++++++ tools/clearkeys.sh | 3 +++ 6 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 playbooks/shutdown.yml create mode 100644 tools/clearkeys.sh diff --git a/.ansible-lint b/.ansible-lint index 91295bc..bf70e95 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -11,6 +11,7 @@ skip_list: - role-name[path] - name[play] - yaml[octal-values] + - yaml[brackets] - yaml[new-line-at-end-of-file] offline: false diff --git a/README.md b/README.md index 107e9f2..8ae2d8d 100644 --- a/README.md +++ b/README.md @@ -1 +1,27 @@ -# lab \ No newline at end of file +# Lab environment + +This repository contains Ansible playbooks to manage the server hosting [lab environment](TBA). The server is intended to run on best effort basis meaning it does not have any availability strategy and if it gets into a state which is difficult to recover from, it can be easily reinstalled and reconfigured using these playbooks. + +## Creating a Lab environment +- Install Proxmox from the official ISO image with the configuration below: + - Disk: ZFS with RAID0 (all disks) + - Country: Czechia + - Timezone: Europe/Prague + - Password: any, just watch out for english keyboard layout when typing numbers + - E-mail: anything + - Hostname: anything + - IP Address: 10.1.8.10/24 + - Gateway: 10.1.8.1 +- Remove previous SSH keys in case you have re-created the lab using the `yarn clear-keys` command +- If it's a fresh install, initialize the server using the `yarn run init` command +- Apply playbooks using the `yarn apply` command +- After the playbooks have been applied, install the individual Proxmox lab VMs through Proxmox UI with the configuration below: + - Disk: ZFS with RAID0 + - Country: Czechia + - Timezone: Europe/Prague + - Password: any, just watch out for english keyboard layout when typing numbers and make sure **all nodes have the same password** + - E-mail: pve<X>@lab.<domain> + - Hostname: pve<X>.lab.<domain> + - IP Address: 10.1.8.1<X>/24 + - Gateway: 10.1.8.1 +- Turn the individual nodes into a Proxmox cluster (there's currently no good way to automate this) \ No newline at end of file diff --git a/package.json b/package.json index 5e232b1..96e5940 100644 --- a/package.json +++ b/package.json @@ -9,6 +9,7 @@ "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint", "setup:local": "ansible-galaxy install -r ./requirements.yml", "init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh proxmox -u root -e ansible_user=root --tags init -k", - "apply": "./tools/apply.sh" + "apply": "./tools/apply.sh", + "clear-keys": "./tools/clearkeys.sh" } } \ No newline at end of file diff --git a/playbooks/_all.yml b/playbooks/_all.yml index 011f94c..3db1b01 100644 --- a/playbooks/_all.yml +++ b/playbooks/_all.yml @@ -1,3 +1,4 @@ - import_playbook: proxmox.yml - import_playbook: github-runners.yml -- import_playbook: proxmox-vms.yml \ No newline at end of file +- import_playbook: proxmox-vms.yml +- import_playbook: shutdown.yml \ No newline at end of file diff --git a/playbooks/shutdown.yml b/playbooks/shutdown.yml new file mode 100644 index 0000000..167738b --- /dev/null +++ b/playbooks/shutdown.yml @@ -0,0 +1,12 @@ +- name: Create automatic shutdown cron job + hosts: all + become: true + become_method: ansible.builtin.sudo + any_errors_fatal: true + tasks: + - name: Create cron entry + ansible.builtin.cron: + hour: 23 + minute: 59 + name: "Evening shutdown" + job: /usr/sbin/shutdown \ No newline at end of file diff --git a/tools/clearkeys.sh b/tools/clearkeys.sh new file mode 100644 index 0000000..abbd726 --- /dev/null +++ b/tools/clearkeys.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +ssh-keygen -f ~/.ssh/known_hosts -R 10.1.8.10 From ee36af2e828e22da385b47b1b75bc0c84755cbd1 Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 9 Oct 2023 16:14:27 +0200 Subject: [PATCH 04/11] CI added --- .github/workflows/ci.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..760aede --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,23 @@ +name: CI +on: + pull_request: + +jobs: + validate: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@master + + - name: Install pre-requisites + run: | + yarn + sudo wget -q -O /usr/bin/sops https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64 + sudo chmod a+x /usr/bin/sops + sudo pip install --upgrade pip + sudo pip uninstall -y ansible-core + pip install --force-reinstall ansible==7.6.0 + pip install --force-reinstall ansible-lint==6.17.0 + + - name: Lint Ansible files + run: yarn lint From fbfa72e77494dac49945e158e5637e9c1b6b4eab Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 9 Oct 2023 16:21:56 +0200 Subject: [PATCH 05/11] Lint fixes --- playbooks/github-runners.yml | 2 +- playbooks/proxmox-vms.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/playbooks/github-runners.yml b/playbooks/github-runners.yml index 969f438..31bc836 100644 --- a/playbooks/github-runners.yml +++ b/playbooks/github-runners.yml @@ -23,7 +23,7 @@ - name: Install required python packages ansible.builtin.package: - name: + name: - python3-docker - python3-compose state: present diff --git a/playbooks/proxmox-vms.yml b/playbooks/proxmox-vms.yml index 384f516..3f2d550 100644 --- a/playbooks/proxmox-vms.yml +++ b/playbooks/proxmox-vms.yml @@ -5,13 +5,13 @@ any_errors_fatal: true handlers: - name: Reload networking - ansible.builtin.shell: - cmd: ifreload -a + changed_when: true + ansible.builtin.command: ifreload -a tasks: - name: Install required python packages ansible.builtin.package: - name: + name: - python3-proxmoxer state: present @@ -21,7 +21,7 @@ dest: "/var/lib/vz/template/iso/{{ pve_lab_vms_iso_url | basename }}" checksum: "{{ pve_lab_vms_iso_checksum }}" mode: '0640' - + - name: Create storage network notify: Reload networking ansible.builtin.blockinfile: From 665e9e964988937584a2db4a876d5335facdc256 Mon Sep 17 00:00:00 2001 From: LH Date: Thu, 26 Oct 2023 22:55:44 +0200 Subject: [PATCH 06/11] Fixes --- package.json | 2 +- playbooks/proxmox-vms.yml | 4 ++-- playbooks/shutdown.yml | 2 +- tools/apply.sh | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 96e5940..03dd2fa 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "private": true, "scripts": { "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint", - "setup:local": "ansible-galaxy install -r ./requirements.yml", + "setup:local": "ansible-galaxy install -r ./requirements.yml --no-cache", "init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh proxmox -u root -e ansible_user=root --tags init -k", "apply": "./tools/apply.sh", "clear-keys": "./tools/clearkeys.sh" diff --git a/playbooks/proxmox-vms.yml b/playbooks/proxmox-vms.yml index 3f2d550..affa584 100644 --- a/playbooks/proxmox-vms.yml +++ b/playbooks/proxmox-vms.yml @@ -89,8 +89,8 @@ vcpus: "8" sockets: "1" cores: "8" - memory: "16384" - balloon: "8192" + memory: "18432" + balloon: "18432" state: present - name: Wait for VMs to be created diff --git a/playbooks/shutdown.yml b/playbooks/shutdown.yml index 167738b..0936cec 100644 --- a/playbooks/shutdown.yml +++ b/playbooks/shutdown.yml @@ -6,7 +6,7 @@ tasks: - name: Create cron entry ansible.builtin.cron: - hour: 23 + hour: 1 minute: 59 name: "Evening shutdown" job: /usr/sbin/shutdown \ No newline at end of file diff --git a/tools/apply.sh b/tools/apply.sh index 82f2d01..41a8540 100644 --- a/tools/apply.sh +++ b/tools/apply.sh @@ -17,7 +17,7 @@ shift export ANSIBLE_CONFIG="./ansible.cfg" # Install Ansible dependencies (roles and collections) -ansible-galaxy install -r ./requirements.yml +ansible-galaxy install -r ./requirements.yml --force COMMAND="ansible-playbook -i inventory.yml $PLAYBOOK ${@:1}" From b3d242d773b5e0378a1240d13c7ed3d72fd3cb5b Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 30 Oct 2023 21:10:07 +0100 Subject: [PATCH 07/11] AAD switched to Lab tenant --- group_vars/all/pve.sops.yml | 10 +++++----- package.json | 2 +- requirements.yml | 2 ++ 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/group_vars/all/pve.sops.yml b/group_vars/all/pve.sops.yml index 7bff8bf..7330bec 100644 --- a/group_vars/all/pve.sops.yml +++ b/group_vars/all/pve.sops.yml @@ -2,10 +2,10 @@ pve_default_realm_name: ENC[AES256_GCM,data:VaNF,iv:DVu0ef1Uztb8CJa5PZwzcIKKflgH pve_openid_realms: - name: ENC[AES256_GCM,data:zGGc,iv:0jNuzM3ArlU4hwCB/iZiAvp0OhakmslXk3BJJH7gDLs=,tag:UwNFcC1+XOyb++U9PAtMog==,type:str] display_name: ENC[AES256_GCM,data:yyHnasNbA8MRtUSigSqgmX6moiNXJQ==,iv:bb090tnAH+zJAbYsGnmaYcw8P96SyF+hvODpZOaSkeA=,tag:407MABcbQIHH9iPKX/OQnw==,type:str] - client_id: ENC[AES256_GCM,data:20D+eivXYYVILXY7HEMQER3/SIg7TC+aY43S/Qd6TPdJTnns,iv:g/XvmjeMWfyjW+azwP5TqYW7aD24FfKQa6Q8rZd5Z+Q=,tag:/Otg30gd56kT6bSp5VUAiw==,type:str] + client_id: ENC[AES256_GCM,data:VKBxVrxSPhqjTzRxEJKufmq2GA8s4GnZAngsIILOOuq/Gxzr,iv:ln7ec8D1RFwa7XhNo600UKI4j9z5lY0N/Vip/p2tw3w=,tag:nWybBaNkDcWeICsHBjeMcA==,type:str] #ENC[AES256_GCM,data:WtvK0zfpdO549d1cgQrKegV61wG6QL8JTLqjOygzyn3cWghH1jClTxcKUe91sfyVzDAyHsj4IcWe1avgUA==,iv:lf4BwAh7IiCBaeO0ZulhAX6/bSKdWEEDPhieA1ilG1I=,tag:eK8RHfG+4n9buk+IAkS3vQ==,type:comment] - client_secret: ENC[AES256_GCM,data:WOZ9jctar0KUz1tKRQNpAmm7JCx7zxfCKfjz29dI1uymoeZU2e1siw==,iv:91fCzkhl0wTrHP+WTvUTw+46kcJnfTo4mdnhZW8c+es=,tag:bIsabuf95zaLE3ajzkBpog==,type:str] - url: ENC[AES256_GCM,data:4f9BpFgZpbOXyIfNDN8dFVnQbTrvT/OhPo5zJ41F+4vHLLWFjDYboCztzaGYiLAdJ7314hX28iwKWX47OehDENuURvFwU0nBW2ND,iv:s704OZBU0ZGXP9efwmrD+SaGeqn79gVrYU9Jfi6MBYg=,tag:pGQM8/R4zNq6hidlYWsAgA==,type:str] + client_secret: ENC[AES256_GCM,data:z1HUKTzqRs1RInvWH+/CX3L/0KIF0ijEQR/FqT2aSerYTX3IcGthEQ==,iv:ysw8DWFJFIgDZbtbWZRXobxCyjGRJepkswVX1o/H4IQ=,tag:d5swpiZ/XrK/DA5PTA1KRA==,type:str] + url: ENC[AES256_GCM,data:qX4Ztrt7p4+UfbRxqbsGILECMcQEVYJwQHdFkqL6pTgFlkB8yh8Wu4Ag0cuKckoL24cvDaJZDoNZkpbL/uBqvYjSoAU6YXs1hMZz,iv:xkM1csG5YEqkJLyAeF7omx+syRCmvSZc9n+NiUcCln4=,tag:Vb4Rcv1vurFbkmklCLoelA==,type:str] #ENC[AES256_GCM,data:bqetwB8Qqk7uiXisMDTStIR12zsA94YGdJz9i5UC3Yi7zNTHLwQD7FnA4d2IuqXNTG8C3J0Hyvc=,iv:nRjLWXa/EdNidmiyN4AmwzWC+eZOT2rE+JpnZBQdops=,tag:jewew45mABmLbnxHuPQ21g==,type:comment] autocreate_users: ENC[AES256_GCM,data:1HuCqWk=,iv:rtginL+v6lEvi76v0AOIv5OQTSNOEdoB4BYydvhMYN4=,tag:w0y0AJQRewa8l0uax4PXow==,type:bool] username_claim: ENC[AES256_GCM,data:fMhAm2o=,iv:lxP7RfJWSkjg6TufNRbVe/1b4BBQUOrPD7Eyvi+cnpw=,tag:3cf4fN3bZwJM/W/4qdIsrQ==,type:str] @@ -41,8 +41,8 @@ sops: cWZDTjRmQUNqeFFXWVFXYzZaRzRhOWcKhATORzCnrd5mZuSiMZGEuLrk2I8ZSfYU afoukYbYCKvISAZR2YXMhD5hNhifgRD+/SS48e7S5CqqBrMoxP4x7w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-05T10:26:27Z" - mac: ENC[AES256_GCM,data:W6aLSZqH+dsUyyLXMtV7YsnCTDz0LxB5LkqFJGABuexPfqKgHn0P3ZjWSH35l1EoOi4sHQeS2PdvbNiUbSalZ6fG/vhz/VRoQ6ii2cFBPwuHjIYXSAFL9Ed0OxuoS8HxpJ3x25BhHY54rhOwpgWXiwcJ64KhhQrWH9+XULGZ1+I=,iv:RsPTNog+rZTe8lWNjxoOd+1c86d1gVxU99ByXF3/ZD8=,tag:bZJF7vo1lHEIlCPhOQbXAQ==,type:str] + lastmodified: "2023-10-27T12:22:35Z" + mac: ENC[AES256_GCM,data:XVCYXjCwkyn1ETx2F4e0fPD155uXncc5qQUlSrjDIR47KsZ7jURv2DATzh8BrAUh9aPKI48lNpfWjCWzjHzHGuK54J1+s6n337wYGBvooQra8XbU1u+PAZP1/ynmvAv3Hf0e/Rin3qGkVE4SH7qIvDHpeHt2eyLsPhxkYeRMV9U=,iv:UpMVY9FppMU1rW27wuNPR8mLPYHwMkeArmYMtHMXqrA=,tag:RzXGHVmqAGIdC9KT6Amp3Q==,type:str] pgp: - created_at: "2023-10-04T19:45:00Z" enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CARAAgZKyxWvK6kxZkb2+5h0VV6tMkOxXRDh3iSdCAgUxXHF8\r\nDuu+ZL8CRHLhtmojeAEuehjlolvRczzMYCroxsV5USokfQbANIAk3f+K/EnSvak6\r\nlHyJ3QLcJCHfMbGQDRScFAJmog9py+3y8UPgxMSFePUpwLgbXXDLljBLoaNsGpcq\r\nBq4m4VuEOq8BiRV/MdH3y4/GhIX7F3ywC9f1D/LsjluYRy2+K9X+7xFPolxSR0cM\r\n3FKNvK49rloLjf9uZEVfZ3aGdE5qGn5AJnHRyPidgbk/x8NlOf2g5jTQ4oZfxJrj\r\n5y2FzRjitJl8P6nHYua0lIZkTUED6PCiC2X8SJSajXArerNkMRBKTGb7XTHKZdcT\r\ntey4FiDsTsVPHhGmW1fZ63byILRckDlLgsr7ZEceNWP+rPSVjSH3R5YWuAAjBY2G\r\n3718eLw50naVCnrZ4mMh05gRuAM9MKVhASRFKBKT+5H14Rhc7cT7o0oC2qITsNu1\r\n7I8lhnzutXZmK9ni1g2oB5tjuq2y/cBp0jFR9gMg+usdcZWyeVtNUzKaADe7YCdG\r\nLj59xNL9Pk825CVHwjfnfyb4qbpM8FMW8VX5y8obq0MSdRZPDnMcTiCQk1stmZ6M\r\nWsM8q/Ge899j7uyqZUZiynlE9tW3FvQ5tFPyArjd76Zuuve9WRr5tRe75oYmd+PS\r\nXgHxdN2eUYZlyR0na36CvPP7sO/B1rjbhw1JlaaN5qDiy/2WyJKNd/8vtldEut9O\r\n9JUULZ9WXzqcsBugzWI5FwRlYx9Rq9o0xSIjFjTFEuNvNLzqbJTXtSqfkIRin7Y=\r\n=yq0q\r\n-----END PGP MESSAGE-----\r\n" diff --git a/package.json b/package.json index 03dd2fa..e3db38e 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "private": true, "scripts": { "lint": "ANSIBLE_CONFIG=\"./ansible.cfg\" ansible-lint", - "setup:local": "ansible-galaxy install -r ./requirements.yml --no-cache", + "setup:local": "ansible-galaxy install -r ./requirements.yml --force", "init": "ANSIBLE_HOST_KEY_CHECKING=False ./tools/apply.sh proxmox -u root -e ansible_user=root --tags init -k", "apply": "./tools/apply.sh", "clear-keys": "./tools/clearkeys.sh" diff --git a/requirements.yml b/requirements.yml index 5e9d7ab..45d965c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,6 +16,8 @@ collections: roles: - name: geerlingguy.pip + version: 2.2.0 - name: geerlingguy.security + version: 2.2.0 - name: geerlingguy.docker version: 7.0.1 From ffda161b6872e7128ef72c0f146a2d90550dd660 Mon Sep 17 00:00:00 2001 From: LH Date: Tue, 31 Oct 2023 10:56:41 +0100 Subject: [PATCH 08/11] Proxmox port redirect fix 2 --- group_vars/all/github-runners.sops.yml | 6 +++--- playbooks/github-runners.yml | 4 ++++ playbooks/templates/runners-docker-compose.yml.j2 | 5 ++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/group_vars/all/github-runners.sops.yml b/group_vars/all/github-runners.sops.yml index 734f761..b205f96 100644 --- a/group_vars/all/github-runners.sops.yml +++ b/group_vars/all/github-runners.sops.yml @@ -1,6 +1,6 @@ github_runner_instance_count: ENC[AES256_GCM,data:mA==,iv:tZXyT9ZymWgL2FyK1mne0SJkoX7zK0RCAlLY0Og0R7g=,tag:bcKLeeC1OJXEEEWiGAML6Q==,type:int] github_runner_image_tag: ENC[AES256_GCM,data:X9NC6rKM,iv:YeQgFHOj0gjTlK32GuMmBzY64y/3Kl57bCT2WyHBhxk=,tag:xONE6hc2fZopRANcdMMsdQ==,type:str] -github_runner_token: ENC[AES256_GCM,data:IMdt5UkiN14/sa2Mxzut0Gy8Wql9V8Ond/ogI66GDcnKguVaUPnOaiH+AvNX/3u5kj19s3XEFz5+5fVZHnTU2McjlbYDyH6HW0U4JlM0d7aoQQabn0TQzKgV1tbM,iv:v0vtvtTnpxUcew+2K29muaG45OEi5FD7CZA2D2hRXCQ=,tag:4hUPGmpyZKxi8Wy2F5eEzw==,type:str] +github_runner_token: ENC[AES256_GCM,data:i1wIp+/Oqimh0SSmLvPK6y/0x0+y8hAn0oju9gpwaRgkUUn/IH/nlhkImyNuTwgNueVYe8Xj4Si9xorq5nsJF5ZS6SJ/U+hcuWzBQu4oBBbg7yza7WkztDkuxrS7,iv:gFomXdy8wW6zEK0eUmKkBomsqdvITO6K9ZiwfVF147Q=,tag:OHFhFKw+BoEstHtOrqj6MA==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +16,8 @@ sops: Sm9NTXdMOXd0YWh2Z2VWbDdWWXFLQkUKon5P3KZOQFnWHAToI2efSTFLUMLdKCu4 DquCDOmiRCidGzVooH2SKRoN5zF0B39UP9ww2uSxCL7UAIEWjQguMA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-05T13:12:40Z" - mac: ENC[AES256_GCM,data:mgY778ZTnRsD8kU+Dgwg1zowdcGJrAqJt12noQx5xMJzzzErr57zUUEYlg/jWlpRJYKjJVJBrmUNFX0myfIrNtNSdqgC3noArJi3Vin43PSBMDuVX3CcMyFWULNVUY9viG8STYX8ESLS3nEPE6nklbaA7zYVikvfEJFf4xyu5n8=,iv:BC1pBiZnS27KgGcUhWDfuXTXxJfydH/JL0Ji59KPqYQ=,tag:t9Xl+rKG4wJXhXAVthrAgg==,type:str] + lastmodified: "2023-10-30T21:30:21Z" + mac: ENC[AES256_GCM,data:/i3Jjfqr1vpKM8EMkmYa61sAQRqH7T0omEEmT5kdpBfxd+qaT4OpkSReHB+AZNZsh2GvGt/powhby6sFvlc28AcY1NH2wlC5FAorV5RC4QezTdwCGACOHfB/8sutsYDSYYQsrvGt6Py4aFV0XFW8OlwMXgTHbtbEL+xkxPHSnH8=,iv:yTLJTdsridSIV/rse0JwigsUGp7ydw5IOSXDOikLjlo=,tag:Uyp+jEWMrYYvOrFCmHoENg==,type:str] pgp: - created_at: "2023-10-05T13:12:35Z" enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ/+IzFGsg0wMa0G+HjlZuMQLlRxLdl+HYltSS+R88Z36MOs\r\nW2zHCnMQMui3OdvDyOgc2wbd20v2Xf/8EQAlmrqdSFA6XVj5ypby+1fB/B0/NIs9\r\nC9Lw8JH58YrfW4nBQGcDEEMnfr4USp/29PHgpSI2N+I+T0iw0rMuy8d4ID9NpOs+\r\nnsnUupsB/mxgzDZ3mG+4DT/iiFDvegUmjZr2R3ZNxMWBghCO7qsA/h85mqKwLUeX\r\nAsh1TvHY8Wh02vK8RvmunOiABwyZuOwLVJUXP40TogEEADQFugIw66l1fGRv7QKD\r\nK051tBcYx0O1d31tt9tWX9oDPHlbSSWizY56rWORIeRr5um5BZ7qyQdCoxvYTUYw\r\nteDm39vekWbnyWIKFVutNcJYHjXUimpi4KUFIU+WIwn6lXj6PVBuMRwTrRlpc2Ti\r\nt6sxbKtb0ZixbevXMbrBcRWPvSaNuVwLxRLPN3s2ELf/dM2WdmGPUuUYQK1p9SyY\r\nULadjm/I0iRoPC8e+DDN2nqCCGpTSyaaGdkwmHrCuFIJF3oTH6Mc9qESgwmZKqHC\r\ndZiaxtkzG+Oup1QHCSwZJGYEVhtVf8qRCo4muf/A1Poe9BerHwQbv8wYazbs9kFw\r\nk0ViNdUrsR58JcftykA9MV3xtytcEsxd2F/A+p6+WH/3vM5fyvdWa50Jimzszz3S\r\nXAGxLP68inRZiLrcB3EJKlsb8rlaKqOoRqQyMIeV/+Gwn43pZsdFbI0RuOsjbxyd\r\nf0fwcJGXy5Uh9LJGmhiXCX1WSVSwvGFQQJUtBu+dPulfKC3hucAn7RdkQWG+\r\n=FtvM\r\n-----END PGP MESSAGE-----\r\n" diff --git a/playbooks/github-runners.yml b/playbooks/github-runners.yml index 31bc836..5fb4050 100644 --- a/playbooks/github-runners.yml +++ b/playbooks/github-runners.yml @@ -16,10 +16,12 @@ database: group split: ':' key: "docker" + tags: [ docker-stack ] - name: Set docker group id to facts ansible.builtin.set_fact: docker_gid: "{{ ansible_facts.getent_group['docker'][1] }}" + tags: [ docker-stack ] - name: Install required python packages ansible.builtin.package: @@ -27,6 +29,7 @@ - python3-docker - python3-compose state: present + tags: [ docker-stack ] - name: Set up runners compose stack community.docker.docker_compose: @@ -34,3 +37,4 @@ definition: "{{ lookup('template', 'templates/runners-docker-compose.yml.j2') | from_yaml }}" recreate: always state: present + tags: [ docker-stack ] diff --git a/playbooks/templates/runners-docker-compose.yml.j2 b/playbooks/templates/runners-docker-compose.yml.j2 index 0a83999..82f2b62 100644 --- a/playbooks/templates/runners-docker-compose.yml.j2 +++ b/playbooks/templates/runners-docker-compose.yml.j2 @@ -8,7 +8,7 @@ services: # entrypoint: bash # command: "-l -c 'sleep infinity'" networks: - internal: + default: external: environment: GH_OWNER: homecentr @@ -23,8 +23,7 @@ services: {% endfor %} networks: - internal: - driver: bridge + default: external: driver: macvlan From ff487b2a67eaae62a5ecb715e8ed13543a8eab73 Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 6 Nov 2023 11:04:22 +0100 Subject: [PATCH 09/11] GitHub runners network config moved to vars --- group_vars/all/github-runners.sops.yml | 8 ++++++-- playbooks/templates/runners-docker-compose.yml.j2 | 6 +++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/group_vars/all/github-runners.sops.yml b/group_vars/all/github-runners.sops.yml index b205f96..bfc17bf 100644 --- a/group_vars/all/github-runners.sops.yml +++ b/group_vars/all/github-runners.sops.yml @@ -1,6 +1,10 @@ github_runner_instance_count: ENC[AES256_GCM,data:mA==,iv:tZXyT9ZymWgL2FyK1mne0SJkoX7zK0RCAlLY0Og0R7g=,tag:bcKLeeC1OJXEEEWiGAML6Q==,type:int] github_runner_image_tag: ENC[AES256_GCM,data:X9NC6rKM,iv:YeQgFHOj0gjTlK32GuMmBzY64y/3Kl57bCT2WyHBhxk=,tag:xONE6hc2fZopRANcdMMsdQ==,type:str] github_runner_token: ENC[AES256_GCM,data:i1wIp+/Oqimh0SSmLvPK6y/0x0+y8hAn0oju9gpwaRgkUUn/IH/nlhkImyNuTwgNueVYe8Xj4Si9xorq5nsJF5ZS6SJ/U+hcuWzBQu4oBBbg7yza7WkztDkuxrS7,iv:gFomXdy8wW6zEK0eUmKkBomsqdvITO6K9ZiwfVF147Q=,tag:OHFhFKw+BoEstHtOrqj6MA==,type:str] +github_runner_network: + subnet: ENC[AES256_GCM,data:N2HRS7MdiUoNArc=,iv:ycIY1KtaBwejCvgXTFLrCxSaDyTJHgpfdzAfFdELYEw=,tag:GJruj2b62nILAUjNWxzBdQ==,type:str] + ip_range: ENC[AES256_GCM,data:q4hBS9jDbF7aMTLI4A==,iv:277/W4bDLSFSDnDnYpKOaS5XgrW80uSOQEL0fQudFnQ=,tag:QLzOvvugavEbVtx8ZcLJUQ==,type:str] + gateway: ENC[AES256_GCM,data:+k7XWNRe/ho=,iv:+ejGtMFOuVrgJY2pPIWxJOnkHZIo1YlYH5rO6QOmWvE=,tag:qFq7byuBf5JJxBHSGZMvwQ==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +20,8 @@ sops: Sm9NTXdMOXd0YWh2Z2VWbDdWWXFLQkUKon5P3KZOQFnWHAToI2efSTFLUMLdKCu4 DquCDOmiRCidGzVooH2SKRoN5zF0B39UP9ww2uSxCL7UAIEWjQguMA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-10-30T21:30:21Z" - mac: ENC[AES256_GCM,data:/i3Jjfqr1vpKM8EMkmYa61sAQRqH7T0omEEmT5kdpBfxd+qaT4OpkSReHB+AZNZsh2GvGt/powhby6sFvlc28AcY1NH2wlC5FAorV5RC4QezTdwCGACOHfB/8sutsYDSYYQsrvGt6Py4aFV0XFW8OlwMXgTHbtbEL+xkxPHSnH8=,iv:yTLJTdsridSIV/rse0JwigsUGp7ydw5IOSXDOikLjlo=,tag:Uyp+jEWMrYYvOrFCmHoENg==,type:str] + lastmodified: "2023-11-06T10:04:03Z" + mac: ENC[AES256_GCM,data:UvAzTb0cOpWX8WKA1Rzbdj59GJ4jIBmXp12LspxC7fNdeowKk5hMFTQ03ljnnRGFk6srWhXdb3/Clj+ud7Za8lIkYjY8O0CkykFR+2SU5sREjlQ++GbzX8nmHOwAO2dU5aQ0fSQmNxLecT8DcVbtGU8j/W/4ZAGcnDAzvcPC9fs=,iv:iyJcKPDTxQV4N5GY6vNsnDmBabwDoq2nXcw9RbBuCkY=,tag:WLj4MRR9O4EZ3B31afv/rg==,type:str] pgp: - created_at: "2023-10-05T13:12:35Z" enc: "-----BEGIN PGP MESSAGE-----\r\n\r\nhQIMA7Pg+ndCcR5CAQ/+IzFGsg0wMa0G+HjlZuMQLlRxLdl+HYltSS+R88Z36MOs\r\nW2zHCnMQMui3OdvDyOgc2wbd20v2Xf/8EQAlmrqdSFA6XVj5ypby+1fB/B0/NIs9\r\nC9Lw8JH58YrfW4nBQGcDEEMnfr4USp/29PHgpSI2N+I+T0iw0rMuy8d4ID9NpOs+\r\nnsnUupsB/mxgzDZ3mG+4DT/iiFDvegUmjZr2R3ZNxMWBghCO7qsA/h85mqKwLUeX\r\nAsh1TvHY8Wh02vK8RvmunOiABwyZuOwLVJUXP40TogEEADQFugIw66l1fGRv7QKD\r\nK051tBcYx0O1d31tt9tWX9oDPHlbSSWizY56rWORIeRr5um5BZ7qyQdCoxvYTUYw\r\nteDm39vekWbnyWIKFVutNcJYHjXUimpi4KUFIU+WIwn6lXj6PVBuMRwTrRlpc2Ti\r\nt6sxbKtb0ZixbevXMbrBcRWPvSaNuVwLxRLPN3s2ELf/dM2WdmGPUuUYQK1p9SyY\r\nULadjm/I0iRoPC8e+DDN2nqCCGpTSyaaGdkwmHrCuFIJF3oTH6Mc9qESgwmZKqHC\r\ndZiaxtkzG+Oup1QHCSwZJGYEVhtVf8qRCo4muf/A1Poe9BerHwQbv8wYazbs9kFw\r\nk0ViNdUrsR58JcftykA9MV3xtytcEsxd2F/A+p6+WH/3vM5fyvdWa50Jimzszz3S\r\nXAGxLP68inRZiLrcB3EJKlsb8rlaKqOoRqQyMIeV/+Gwn43pZsdFbI0RuOsjbxyd\r\nf0fwcJGXy5Uh9LJGmhiXCX1WSVSwvGFQQJUtBu+dPulfKC3hucAn7RdkQWG+\r\n=FtvM\r\n-----END PGP MESSAGE-----\r\n" diff --git a/playbooks/templates/runners-docker-compose.yml.j2 b/playbooks/templates/runners-docker-compose.yml.j2 index 82f2b62..7a228d9 100644 --- a/playbooks/templates/runners-docker-compose.yml.j2 +++ b/playbooks/templates/runners-docker-compose.yml.j2 @@ -31,6 +31,6 @@ networks: parent: vmbr0 ipam: config: - - subnet: "10.1.8.0/24" - ip_range: "10.1.8.224/27" - gateway: "10.1.8.1" \ No newline at end of file + - subnet: "{{ github_runner_network.subnet }}" + ip_range: "{{ github_runner_network.ip_range }}" + gateway: "{{ github_runner_network.gateway }}" \ No newline at end of file From 8aee42df0e43af096eeb1b92fbbf2797e083a3b9 Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 6 Nov 2023 11:10:24 +0100 Subject: [PATCH 10/11] Syntax fix --- playbooks/github-runners.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbooks/github-runners.yml b/playbooks/github-runners.yml index 5fb4050..71cf005 100644 --- a/playbooks/github-runners.yml +++ b/playbooks/github-runners.yml @@ -24,12 +24,12 @@ tags: [ docker-stack ] - name: Install required python packages - ansible.builtin.package: + ansible.builtin.apt: name: - python3-docker - python3-compose state: present - tags: [ docker-stack ] + tags: [ docker-stack ] - name: Set up runners compose stack community.docker.docker_compose: From 54bcd2317f7975e68811514a5f2660fccdacacfb Mon Sep 17 00:00:00 2001 From: LH Date: Mon, 6 Nov 2023 13:12:17 +0100 Subject: [PATCH 11/11] fix: Deps repointed to master --- requirements.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/requirements.yml b/requirements.yml index 45d965c..f893142 100644 --- a/requirements.yml +++ b/requirements.yml @@ -9,10 +9,10 @@ collections: version: 7.4.0 - name: https://github.com/homecentr/ansible-collection-system type: git - version: feat/zfs-usbhid + version: master - name: https://github.com/homecentr/ansible-collection-proxmox type: git - version: feat/v1 + version: master roles: - name: geerlingguy.pip