Add dn42 foo.
This commit is contained in:
parent
fa6e30eacb
commit
93989e6ab5
|
@ -0,0 +1,18 @@
|
|||
mysql_root_password: usheeCut6ahjohhiPh4aichah5aiyaex
|
||||
mysql_root_password_update: true
|
||||
mysql_databases:
|
||||
- name: pdns
|
||||
mysql_users:
|
||||
- name: repl_user
|
||||
password: awe9Ier2aisoh8keez5uonge
|
||||
priv: "*.*:REPLICATION CLIENT"
|
||||
host: 172.21.74.134
|
||||
mysql_packages:
|
||||
- mariadb-client
|
||||
- mariadb-server
|
||||
- python3-mysqldb
|
||||
mysql_replication_user:
|
||||
name: repl_user
|
||||
password: awe9Ier2aisoh8keez5uonge
|
||||
host: 172.21.74.134
|
||||
mysql_replication_master: "172.21.74.134"
|
|
@ -0,0 +1 @@
|
|||
node_exporter_version: 1.3.1
|
|
@ -0,0 +1,6 @@
|
|||
dn42:
|
||||
internal_ipv4: 172.21.74.133
|
||||
internal_ipv6: fe80::3767:1
|
||||
dn42_ipv6: fd68:a3ea:7c9a:0100::1/56
|
||||
main_if: enp1s0
|
||||
peers: []
|
|
@ -0,0 +1,51 @@
|
|||
dn42:
|
||||
internal_ipv4: 172.21.74.129
|
||||
internal_ipv6: fe80::3767:2
|
||||
dn42_ipv6: fd68:a3ea:7c9a:0400::1/56
|
||||
main_if: eth0
|
||||
peers:
|
||||
- name: kioubit
|
||||
own_privkey: EFBQUWCP1i6OzOUKIuCVt3AfmHP3qIaOBx5TLDh4OEw=
|
||||
remote_pubkey: B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY=
|
||||
endpoint: de2.g-load.eu:23767
|
||||
remote_as: 4242423914
|
||||
peering_ipv4:
|
||||
peering_ipv6:
|
||||
own_ipv4: 172.21.74.129
|
||||
remote_ipv4: 172.20.53.97
|
||||
own_ipv6: fd68:a3ea:7c9a::1
|
||||
remote_ipv6: fdfc:e23f:fb45:3234::1
|
||||
|
||||
- name: tech9
|
||||
own_privkey: GJx2n55txSrwooipEh6DHOq0z4xUn7eQB1ALIJSZM1c=
|
||||
remote_pubkey: MD1EdVe9a0yycUdXCH3A61s3HhlDn17m5d07e4H33S0=
|
||||
endpoint: de-fra02.dn42.tech9.io:55024
|
||||
listen_port: 21588
|
||||
remote_as: 4242421588
|
||||
peering_ipv4:
|
||||
peering_ipv6:
|
||||
own_ipv4: 172.21.74.129
|
||||
remote_ipv4: 172.20.16.141
|
||||
own_ipv6: fe80::100
|
||||
remote_ipv6: fe80::1588
|
||||
|
||||
- name: yura42
|
||||
own_privkey: 6D6PMxb6q8gHY3P5Cme0LJCvLz6sxsAmeiGbFd9HwFg=
|
||||
listen_port: 51834
|
||||
remote_pubkey: qIhJZf6mTruzO4GTCUrJnLqs9ID4TI1GctRhaRilBkg=
|
||||
endpoint: fra.dneo.moeternet.com:23767
|
||||
remote_as: 4242422464
|
||||
peering_ipv4:
|
||||
peering_ipv6:
|
||||
own_ipv4: 172.21.74.129
|
||||
remote_ipv4: 172.20.191.193
|
||||
own_ipv6: fd42:1145:1419:0:d2d:4242:3767:2
|
||||
remote_ipv6: fd42:1145:1419:0:d2d:4242:3767:1
|
||||
|
||||
- name: lagertonne
|
||||
no_wireguard:
|
||||
own_ipv4: 172.21.74.129/32
|
||||
remote_as: 4242423765
|
||||
remote_ipv4: 172.21.80.97
|
||||
own_ipv6: fe80::3765
|
||||
remote_ipv6: fe80::3767
|
|
@ -0,0 +1,8 @@
|
|||
dn42:
|
||||
internal_ipv4: 172.21.74.134/32
|
||||
internal_ipv6: fe80::3767:4
|
||||
dn42_ipv6: fd68:a3ea:7c9a:aa01::1/64
|
||||
peers: []
|
||||
main_if: eth0
|
||||
mysql_server_id: "1"
|
||||
mysql_replication_role: "master"
|
|
@ -0,0 +1,8 @@
|
|||
dn42:
|
||||
internal_ipv4: 172.21.74.135/32
|
||||
internal_ipv6: fe80::3767:5
|
||||
dn42_ipv6: fd68:a3ea:7c9a:aa02::1/64
|
||||
peers: []
|
||||
main_if: eth0
|
||||
mysql_server_id: "2"
|
||||
mysql_replication_role: "slave"
|
|
@ -0,0 +1,26 @@
|
|||
dn42:
|
||||
internal_ipv4: 172.21.74.130
|
||||
internal_ipv6: fe80::3767:3
|
||||
dn42_ipv6: fd68:a3ea:7c9a:500::1/56
|
||||
main_if: eth0
|
||||
peers:
|
||||
- name: tech9
|
||||
own_privkey: cNlNF6vgKI5hu6fzeW6mYbw5HU0OwTY6Ejnum1THIVI=
|
||||
remote_pubkey: MD1EdVe9a0yycUdXCH3A61s3HhlDn17m5d07e4H33S0=
|
||||
endpoint: de-fra02.dn42.tech9.io:58609
|
||||
listen_port: 51588
|
||||
remote_as: 4242421588
|
||||
own_ipv4: 172.21.74.130
|
||||
remote_ipv4: 172.20.16.141
|
||||
own_ipv6: fe80::100/64
|
||||
remote_ipv6: fe80::1588/64
|
||||
- name: kioubit
|
||||
own_privkey: aAxJTcXJBvDyxcQEcaw0+uk9LAtXaew1ZNat4m6YHHo=
|
||||
remote_pubkey: sLbzTRr2gfLFb24NPzDOpy8j09Y6zI+a7NkeVMdVSR8=
|
||||
endpoint: fr1.g-load.eu:23767
|
||||
listen_port: 51589
|
||||
remote_as: 4242423914
|
||||
own_ipv4: 172.21.74.130
|
||||
remote_ipv4: 172.20.53.102
|
||||
own_ipv6: fd68:a3ea:7c9a::2
|
||||
remote_ipv6: fdfc:e23f:fb45:3234::8
|
|
@ -12,7 +12,19 @@ all:
|
|||
dn42-router:
|
||||
hosts:
|
||||
dn42-gw-fra:
|
||||
ansible_host: 95.156.226.95
|
||||
ansible_host: dn42-gw-fra.neulandlabor.de
|
||||
dn42-nue01:
|
||||
ansible_host: dn42-nue01.nll.re
|
||||
dn42-arn01:
|
||||
ansible_host: dn42-arn01.nll.re
|
||||
dn42-ns1:
|
||||
ansible_host: dn42-ns1.nll.re
|
||||
dn42-ns2:
|
||||
ansible_host: dn42-ns2.nll.re
|
||||
#dn42-nameserver:
|
||||
# hosts:
|
||||
# dn42-ns1:
|
||||
# dn42-ns2:
|
||||
gateways:
|
||||
hosts:
|
||||
gateway01:
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
[storage]
|
||||
driver = "overlay"
|
||||
|
||||
[storage.options]
|
||||
mount_program = "/usr/bin/fuse-overlayfs"
|
|
@ -0,0 +1,25 @@
|
|||
---
|
||||
- hosts: "dn42-dock*"
|
||||
tasks:
|
||||
- name: Install needed packages
|
||||
ansible.builtin.apt:
|
||||
pkg:
|
||||
- podman
|
||||
- slirp4netns
|
||||
- fuse-overlayfs
|
||||
- python3-pip
|
||||
- lxc
|
||||
- libpam-cgfs
|
||||
- bridge-utils
|
||||
- uidmap
|
||||
- libvirt0
|
||||
|
||||
- name: Install podman-compose
|
||||
ansible.builtin.pip:
|
||||
name: podman-compose
|
||||
|
||||
- name: Create storage.conf
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/containers/storage.conf
|
||||
src: ../files/container-storage.conf
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- hosts: dn42-router
|
||||
roles:
|
||||
- role: nll-dn42
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- hosts: internal
|
||||
- hosts: proxmox_pool_neuland
|
||||
|
||||
tasks:
|
||||
- name: Update all Debian systems
|
||||
|
|
|
@ -0,0 +1,3 @@
|
|||
skip_list:
|
||||
- 'yaml'
|
||||
- 'role-name'
|
|
@ -0,0 +1,4 @@
|
|||
# These are supported funding model platforms
|
||||
---
|
||||
github: geerlingguy
|
||||
patreon: geerlingguy
|
|
@ -0,0 +1,56 @@
|
|||
# Configuration for probot-stale - https://github.com/probot/stale
|
||||
|
||||
# Number of days of inactivity before an Issue or Pull Request becomes stale
|
||||
daysUntilStale: 90
|
||||
|
||||
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
|
||||
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
|
||||
daysUntilClose: 30
|
||||
|
||||
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
|
||||
onlyLabels: []
|
||||
|
||||
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
|
||||
exemptLabels:
|
||||
- pinned
|
||||
- security
|
||||
- planned
|
||||
|
||||
# Set to true to ignore issues in a project (defaults to false)
|
||||
exemptProjects: false
|
||||
|
||||
# Set to true to ignore issues in a milestone (defaults to false)
|
||||
exemptMilestones: false
|
||||
|
||||
# Set to true to ignore issues with an assignee (defaults to false)
|
||||
exemptAssignees: false
|
||||
|
||||
# Label to use when marking as stale
|
||||
staleLabel: stale
|
||||
|
||||
# Limit the number of actions per hour, from 1-30. Default is 30
|
||||
limitPerRun: 30
|
||||
|
||||
pulls:
|
||||
markComment: |-
|
||||
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
|
||||
|
||||
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
|
||||
|
||||
unmarkComment: >-
|
||||
This pull request is no longer marked for closure.
|
||||
|
||||
closeComment: >-
|
||||
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
|
||||
|
||||
issues:
|
||||
markComment: |-
|
||||
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
|
||||
|
||||
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
|
||||
|
||||
unmarkComment: >-
|
||||
This issue is no longer marked for closure.
|
||||
|
||||
closeComment: >-
|
||||
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
|
|
@ -0,0 +1,77 @@
|
|||
---
|
||||
name: CI
|
||||
'on':
|
||||
pull_request:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
schedule:
|
||||
- cron: "0 1 * * 3"
|
||||
|
||||
defaults:
|
||||
run:
|
||||
working-directory: 'geerlingguy.mysql'
|
||||
|
||||
jobs:
|
||||
|
||||
lint:
|
||||
name: Lint
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out the codebase.
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: 'geerlingguy.mysql'
|
||||
|
||||
- name: Set up Python 3.
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
|
||||
- name: Install test dependencies.
|
||||
run: pip3 install yamllint
|
||||
|
||||
- name: Lint code.
|
||||
run: |
|
||||
yamllint .
|
||||
|
||||
molecule:
|
||||
name: Molecule
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
distro:
|
||||
- centos8
|
||||
- centos7
|
||||
- ubuntu1804
|
||||
- debian10
|
||||
|
||||
steps:
|
||||
- name: Check out the codebase.
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: 'geerlingguy.mysql'
|
||||
|
||||
- name: Set up Python 3.
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
|
||||
- name: Install test dependencies.
|
||||
run: pip3 install ansible molecule[docker] docker
|
||||
|
||||
# See: https://github.com/geerlingguy/ansible-role-mysql/issues/422
|
||||
- name: Disable AppArmor on Debian.
|
||||
run: |
|
||||
set -x
|
||||
sudo apt-get install apparmor-profiles
|
||||
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
|
||||
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
|
||||
if: ${{ startsWith(matrix.distro, 'debian') }}
|
||||
|
||||
- name: Run Molecule tests.
|
||||
run: molecule test
|
||||
env:
|
||||
PY_COLORS: '1'
|
||||
ANSIBLE_FORCE_COLOR: '1'
|
||||
MOLECULE_DISTRO: ${{ matrix.distro }}
|
|
@ -0,0 +1,38 @@
|
|||
---
|
||||
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
|
||||
# repository or organization.
|
||||
#
|
||||
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
|
||||
# See: https://github.com/ansible/galaxy/issues/46
|
||||
|
||||
name: Release
|
||||
'on':
|
||||
push:
|
||||
tags:
|
||||
- '*'
|
||||
|
||||
defaults:
|
||||
run:
|
||||
working-directory: 'geerlingguy.mysql'
|
||||
|
||||
jobs:
|
||||
|
||||
release:
|
||||
name: Release
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out the codebase.
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
path: 'geerlingguy.mysql'
|
||||
|
||||
- name: Set up Python 3.
|
||||
uses: actions/setup-python@v2
|
||||
with:
|
||||
python-version: '3.x'
|
||||
|
||||
- name: Install Ansible.
|
||||
run: pip3 install ansible-base
|
||||
|
||||
- name: Trigger a new import on Galaxy.
|
||||
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
|
|
@ -0,0 +1,4 @@
|
|||
*.retry
|
||||
*/__pycache__
|
||||
*.pyc
|
||||
.cache
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
extends: default
|
||||
|
||||
rules:
|
||||
line-length:
|
||||
max: 160
|
||||
level: warning
|
||||
|
||||
ignore: |
|
||||
.github/stale.yml
|
|
@ -0,0 +1,20 @@
|
|||
The MIT License (MIT)
|
||||
|
||||
Copyright (c) 2017 Jeff Geerling
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
||||
this software and associated documentation files (the "Software"), to deal in
|
||||
the Software without restriction, including without limitation the rights to
|
||||
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
||||
the Software, and to permit persons to whom the Software is furnished to do so,
|
||||
subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
||||
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
||||
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
||||
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -0,0 +1,199 @@
|
|||
# Ansible Role: MySQL
|
||||
|
||||
[![CI](https://github.com/geerlingguy/ansible-role-mysql/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-mysql/actions?query=workflow%3ACI)
|
||||
|
||||
Installs and configures MySQL or MariaDB server on RHEL/CentOS or Debian/Ubuntu servers.
|
||||
|
||||
## Requirements
|
||||
|
||||
No special requirements; note that this role requires root access, so either run it in a playbook with a global `become: yes`, or invoke the role in your playbook like:
|
||||
|
||||
- hosts: database
|
||||
roles:
|
||||
- role: geerlingguy.mysql
|
||||
become: yes
|
||||
|
||||
## Role Variables
|
||||
|
||||
Available variables are listed below, along with default values (see `defaults/main.yml`):
|
||||
|
||||
mysql_user_home: /root
|
||||
mysql_user_name: root
|
||||
mysql_user_password: root
|
||||
|
||||
The home directory inside which Python MySQL settings will be stored, which Ansible will use when connecting to MySQL. This should be the home directory of the user which runs this Ansible role. The `mysql_user_name` and `mysql_user_password` can be set if you are running this role under a non-root user account and want to set a non-root user.
|
||||
|
||||
mysql_root_home: /root
|
||||
mysql_root_username: root
|
||||
mysql_root_password: root
|
||||
|
||||
The MySQL root user account details.
|
||||
|
||||
mysql_root_password_update: false
|
||||
|
||||
Whether to force update the MySQL root user's password. By default, this role will only change the root user's password when MySQL is first configured. You can force an update by setting this to `yes`.
|
||||
|
||||
> Note: If you get an error like `ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)` after a failed or interrupted playbook run, this usually means the root password wasn't originally updated to begin with. Try either removing the `.my.cnf` file inside the configured `mysql_user_home` or updating it and setting `password=''` (the insecure default password). Run the playbook again, with `mysql_root_password_update` set to `yes`, and the setup should complete.
|
||||
|
||||
> Note: If you get an error like `ERROR 1698 (28000): Access denied for user 'root'@'localhost' (using password: YES)` when trying to log in from the CLI you might need to run as root or sudoer.
|
||||
|
||||
mysql_enabled_on_startup: true
|
||||
|
||||
Whether MySQL should be enabled on startup.
|
||||
|
||||
mysql_config_file: *default value depends on OS*
|
||||
mysql_config_include_dir: *default value depends on OS*
|
||||
|
||||
The main my.cnf configuration file and include directory.
|
||||
|
||||
overwrite_global_mycnf: true
|
||||
|
||||
Whether the global my.cnf should be overwritten each time this role is run. Setting this to `no` tells Ansible to only create the `my.cnf` file if it doesn't exist. This should be left at its default value (`yes`) if you'd like to use this role's variables to configure MySQL.
|
||||
|
||||
mysql_config_include_files: []
|
||||
|
||||
A list of files that should override the default global my.cnf. Each item in the array requires a "src" parameter which is a path to a file. An optional "force" parameter can force the file to be updated each time ansible runs.
|
||||
|
||||
mysql_databases: []
|
||||
|
||||
The MySQL databases to create. A database has the values `name`, `encoding` (defaults to `utf8`), `collation` (defaults to `utf8_general_ci`) and `replicate` (defaults to `1`, only used if replication is configured). The formats of these are the same as in the `mysql_db` module.
|
||||
|
||||
You can also delete a database (or ensure it's not on the server) by setting `state` to `absent` (defaults to `present`).
|
||||
|
||||
mysql_users: []
|
||||
|
||||
The MySQL users and their privileges. A user has the values:
|
||||
|
||||
- `name`
|
||||
- `host` (defaults to `localhost`)
|
||||
- `password` (can be plaintext or encrypted—if encrypted, set `encrypted: yes`)
|
||||
- `encrypted` (defaults to `no`)
|
||||
- `priv` (defaults to `*.*:USAGE`)
|
||||
- `append_privs` (defaults to `no`)
|
||||
- `state` (defaults to `present`)
|
||||
|
||||
The formats of these are the same as in the `mysql_user` module.
|
||||
|
||||
mysql_packages:
|
||||
- mysql
|
||||
- mysql-server
|
||||
|
||||
(OS-specific, RedHat/CentOS defaults listed here) Packages to be installed. In some situations, you may need to add additional packages, like `mysql-devel`.
|
||||
|
||||
mysql_enablerepo: ""
|
||||
|
||||
(RedHat/CentOS only) If you have enabled any additional repositories (might I suggest geerlingguy.repo-epel or geerlingguy.repo-remi), those repositories can be listed under this variable (e.g. `remi,epel`). This can be handy, as an example, if you want to install later versions of MySQL.
|
||||
|
||||
mysql_python_package_debian: python3-mysqldb
|
||||
|
||||
(Ubuntu/Debian only) If you need to explicitly override the MySQL Python package, you can set it here. Set this to `python-mysqldb` if using older distributions running Python 2.
|
||||
|
||||
mysql_port: "3306"
|
||||
mysql_bind_address: '0.0.0.0'
|
||||
mysql_datadir: /var/lib/mysql
|
||||
mysql_socket: *default value depends on OS*
|
||||
mysql_pid_file: *default value depends on OS*
|
||||
|
||||
Default MySQL connection configuration.
|
||||
|
||||
mysql_log_file_group: mysql *adm on Debian*
|
||||
mysql_log: ""
|
||||
mysql_log_error: *default value depends on OS*
|
||||
mysql_syslog_tag: *default value depends on OS*
|
||||
|
||||
MySQL logging configuration. Setting `mysql_log` (the general query log) or `mysql_log_error` to `syslog` will make MySQL log to syslog using the `mysql_syslog_tag`.
|
||||
|
||||
mysql_slow_query_log_enabled: false
|
||||
mysql_slow_query_log_file: *default value depends on OS*
|
||||
mysql_slow_query_time: 2
|
||||
|
||||
Slow query log settings. Note that the log file will be created by this role, but if you're running on a server with SELinux or AppArmor, you may need to add this path to the allowed paths for MySQL, or disable the mysql profile. For example, on Debian/Ubuntu, you can run `sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld && sudo service apparmor restart`.
|
||||
|
||||
mysql_key_buffer_size: "256M"
|
||||
mysql_max_allowed_packet: "64M"
|
||||
mysql_table_open_cache: "256"
|
||||
[...]
|
||||
|
||||
The rest of the settings in `defaults/main.yml` control MySQL's memory usage and some other common settings. The default values are tuned for a server where MySQL can consume ~512 MB RAM, so you should consider adjusting them to suit your particular server better.
|
||||
|
||||
mysql_server_id: "1"
|
||||
mysql_max_binlog_size: "100M"
|
||||
mysql_binlog_format: "ROW"
|
||||
mysql_expire_logs_days: "10"
|
||||
mysql_replication_role: ''
|
||||
mysql_replication_master: ''
|
||||
mysql_replication_user: {}
|
||||
|
||||
Replication settings. Set `mysql_server_id` and `mysql_replication_role` by server (e.g. the master would be ID `1`, with the `mysql_replication_role` of `master`, and the slave would be ID `2`, with the `mysql_replication_role` of `slave`). The `mysql_replication_user` uses the same keys as individual list items in `mysql_users`, and is created on master servers, and used to replicate on all the slaves.
|
||||
|
||||
`mysql_replication_master` needs to resolve to an IP or a hostname which is accessable to the Slaves (this could be a `/etc/hosts` injection or some other means), otherwise the slaves cannot communicate to the master.
|
||||
|
||||
### Later versions of MySQL on CentOS 7
|
||||
|
||||
If you want to install MySQL from the official repository instead of installing the system default MariaDB equivalents, you can add the following `pre_tasks` task in your playbook:
|
||||
|
||||
```yaml
|
||||
pre_tasks:
|
||||
- name: Install the MySQL repo.
|
||||
yum:
|
||||
name: http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
|
||||
state: present
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- name: Override variables for MySQL (RedHat).
|
||||
set_fact:
|
||||
mysql_daemon: mysqld
|
||||
mysql_packages: ['mysql-server']
|
||||
mysql_log_error: /var/log/mysqld.err
|
||||
mysql_syslog_tag: mysqld
|
||||
mysql_pid_file: /var/run/mysqld/mysqld.pid
|
||||
mysql_socket: /var/lib/mysql/mysql.sock
|
||||
when: ansible_os_family == "RedHat"
|
||||
```
|
||||
|
||||
### MariaDB usage
|
||||
|
||||
This role works with either MySQL or a compatible version of MariaDB. On RHEL/CentOS 7+, the mariadb database engine was substituted as the default MySQL replacement package. No modifications are necessary though all of the variables still reference 'mysql' instead of mariadb.
|
||||
|
||||
#### Ubuntu 14.04 and 16.04 MariaDB configuration
|
||||
|
||||
On Ubuntu, the package names are named differently, so the `mysql_package` variable needs to be altered. Set the following variables (at a minimum):
|
||||
|
||||
mysql_packages:
|
||||
- mariadb-client
|
||||
- mariadb-server
|
||||
- python-mysqldb
|
||||
|
||||
## Dependencies
|
||||
|
||||
None.
|
||||
|
||||
## Example Playbook
|
||||
|
||||
- hosts: db-servers
|
||||
become: yes
|
||||
vars_files:
|
||||
- vars/main.yml
|
||||
roles:
|
||||
- { role: geerlingguy.mysql }
|
||||
|
||||
*Inside `vars/main.yml`*:
|
||||
|
||||
mysql_root_password: super-secure-password
|
||||
mysql_databases:
|
||||
- name: example_db
|
||||
encoding: latin1
|
||||
collation: latin1_general_ci
|
||||
mysql_users:
|
||||
- name: example_user
|
||||
host: "%"
|
||||
password: similarly-secure-password
|
||||
priv: "example_db.*:ALL"
|
||||
|
||||
## License
|
||||
|
||||
MIT / BSD
|
||||
|
||||
## Author Information
|
||||
|
||||
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
|
|
@ -0,0 +1,130 @@
|
|||
---
|
||||
# Set this to the user ansible is logging in as - should have root
|
||||
# or sudo access
|
||||
mysql_user_home: /root
|
||||
mysql_user_name: root
|
||||
mysql_user_password: root
|
||||
|
||||
# The default root user installed by mysql - almost always root
|
||||
mysql_root_home: /root
|
||||
mysql_root_username: root
|
||||
mysql_root_password: root
|
||||
|
||||
# Set this to `true` to forcibly update the root password.
|
||||
mysql_root_password_update: false
|
||||
mysql_user_password_update: false
|
||||
|
||||
mysql_enabled_on_startup: true
|
||||
|
||||
# Whether my.cnf should be updated on every run.
|
||||
overwrite_global_mycnf: true
|
||||
|
||||
# The following variables have a default value depending on operating system.
|
||||
# mysql_config_file: /etc/my.cnf
|
||||
# mysql_config_include_dir: /etc/my.cnf.d
|
||||
|
||||
# Pass in a comma-separated list of repos to use (e.g. "remi,epel"). Used only
|
||||
# for RedHat systems (and derivatives).
|
||||
mysql_enablerepo: ""
|
||||
|
||||
# Define a custom list of packages to install; if none provided, the default
|
||||
# package list from vars/[OS-family].yml will be used.
|
||||
# mysql_packages:
|
||||
# - mysql
|
||||
# - mysql-server
|
||||
# - MySQL-python
|
||||
|
||||
mysql_python_package_debian: python3-mysqldb
|
||||
|
||||
# MySQL connection settings.
|
||||
mysql_port: "3306"
|
||||
mysql_bind_address: '0.0.0.0'
|
||||
mysql_skip_name_resolve: false
|
||||
mysql_datadir: /var/lib/mysql
|
||||
mysql_sql_mode: ~
|
||||
# The following variables have a default value depending on operating system.
|
||||
# mysql_pid_file: /var/run/mysqld/mysqld.pid
|
||||
# mysql_socket: /var/lib/mysql/mysql.sock
|
||||
|
||||
# Log file settings.
|
||||
mysql_log_file_group: mysql
|
||||
|
||||
# Slow query log settings.
|
||||
mysql_slow_query_log_enabled: false
|
||||
mysql_slow_query_time: "2"
|
||||
# The following variable has a default value depending on operating system.
|
||||
# mysql_slow_query_log_file: /var/log/mysql-slow.log
|
||||
|
||||
# Memory settings (default values optimized ~512MB RAM).
|
||||
mysql_key_buffer_size: "256M"
|
||||
mysql_max_allowed_packet: "64M"
|
||||
mysql_table_open_cache: "256"
|
||||
mysql_sort_buffer_size: "1M"
|
||||
mysql_read_buffer_size: "1M"
|
||||
mysql_read_rnd_buffer_size: "4M"
|
||||
mysql_myisam_sort_buffer_size: "64M"
|
||||
mysql_thread_cache_size: "8"
|
||||
mysql_query_cache_type: "0"
|
||||
mysql_query_cache_size: "16M"
|
||||
mysql_query_cache_limit: "1M"
|
||||
mysql_max_connections: "151"
|
||||
mysql_tmp_table_size: "16M"
|
||||
mysql_max_heap_table_size: "16M"
|
||||
mysql_group_concat_max_len: "1024"
|
||||
mysql_join_buffer_size: "262144"
|
||||
|
||||
# Other settings.
|
||||
mysql_lower_case_table_names: "0"
|
||||
mysql_wait_timeout: "28800"
|
||||
mysql_event_scheduler_state: "OFF"
|
||||
|
||||
# InnoDB settings.
|
||||
mysql_innodb_file_per_table: "1"
|
||||
# Set .._buffer_pool_size up to 80% of RAM but beware of setting too high.
|
||||
mysql_innodb_buffer_pool_size: "256M"
|
||||
# Set .._log_file_size to 25% of buffer pool size.
|
||||
mysql_innodb_log_file_size: "64M"
|
||||
mysql_innodb_log_buffer_size: "8M"
|
||||
mysql_innodb_flush_log_at_trx_commit: "1"
|
||||
mysql_innodb_lock_wait_timeout: "50"
|
||||
|
||||
# These settings require MySQL > 5.5.
|
||||
mysql_innodb_large_prefix: "1"
|
||||
mysql_innodb_file_format: "barracuda"
|
||||
|
||||
# mysqldump settings.
|
||||
mysql_mysqldump_max_allowed_packet: "64M"
|
||||
|
||||
# Logging settings.
|
||||
mysql_log: ""
|
||||
# The following variables have a default value depending on operating system.
|
||||
# mysql_log_error: /var/log/mysql/mysql.err
|
||||
# mysql_syslog_tag: mysql
|
||||
|
||||
mysql_config_include_files: []
|
||||
# - src: path/relative/to/playbook/file.cnf
|
||||
# - { src: path/relative/to/playbook/anotherfile.cnf, force: yes }
|
||||
|
||||
# Databases.
|
||||
mysql_databases: []
|
||||
# - name: example
|
||||
# collation: utf8_general_ci
|
||||
# encoding: utf8
|
||||
# replicate: 1
|
||||
|
||||
# Users.
|
||||
mysql_users: []
|
||||
# - name: example
|
||||
# host: 127.0.0.1
|
||||
# password: secret
|
||||
# priv: *.*:USAGE
|
||||
|
||||
# Replication settings (replication is only enabled if master/user have values).
|
||||
mysql_server_id: "1"
|
||||
mysql_max_binlog_size: "100M"
|
||||
mysql_binlog_format: "ROW"
|
||||
mysql_expire_logs_days: "10"
|
||||
mysql_replication_role: ''
|
||||
mysql_replication_master: ''
|
||||
# Same keys as `mysql_users` above.
|
||||
mysql_replication_user: []
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- name: restart mysql
|
||||
service: "name={{ mysql_daemon }} state=restarted sleep=5"
|
|
@ -0,0 +1,2 @@
|
|||
install_date: 'Mi 29 Dez 2021 22:08:50 '
|
||||
version: 3.3.2
|
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
role_name: mysql
|
||||
author: geerlingguy
|
||||
description: MySQL server for RHEL/CentOS and Debian/Ubuntu.
|
||||
company: "Midwestern Mac, LLC"
|
||||
license: "license (BSD, MIT)"
|
||||
min_ansible_version: 2.4
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
- 8
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- all
|
||||
- name: Debian
|
||||
versions:
|
||||
- all
|
||||
- name: Archlinux
|
||||
versions:
|
||||
- all
|
||||
galaxy_tags:
|
||||
- database
|
||||
- mysql
|
||||
- mariadb
|
||||
- db
|
||||
- sql
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
roles:
|
||||
- role: geerlingguy.mysql
|
||||
|
||||
post_tasks:
|
||||
- name: Make sure we can connect to MySQL via Unix socket.
|
||||
command: "mysql -u root -proot -e 'show databases;'"
|
||||
changed_when: false
|
||||
|
||||
- name: Make sure we can connect to MySQL via TCP.
|
||||
command: "mysql -u root -proot -h 127.0.0.1 -e 'show databases;'"
|
||||
changed_when: false
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
dependency:
|
||||
name: galaxy
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: instance
|
||||
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
|
||||
command: ${MOLECULE_DOCKER_COMMAND:-""}
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
privileged: true
|
||||
pre_build_image: true
|
||||
provisioner:
|
||||
name: ansible
|
||||
playbooks:
|
||||
converge: ${MOLECULE_PLAYBOOK:-converge.yml}
|
|
@ -0,0 +1,87 @@
|
|||
---
|
||||
- name: Get MySQL version.
|
||||
command: 'mysql --version'
|
||||
register: mysql_cli_version
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
|
||||
- name: Copy my.cnf global MySQL configuration.
|
||||
template:
|
||||
src: my.cnf.j2
|
||||
dest: "{{ mysql_config_file }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
force: "{{ overwrite_global_mycnf }}"
|
||||
notify: restart mysql
|
||||
|
||||
- name: Verify mysql include directory exists.
|
||||
file:
|
||||
path: "{{ mysql_config_include_dir }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
when: mysql_config_include_files | length
|
||||
|
||||
- name: Copy my.cnf override files into include directory.
|
||||
template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ mysql_config_include_dir }}/{{ item.src | basename }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
force: "{{ item.force | default(False) }}"
|
||||
with_items: "{{ mysql_config_include_files }}"
|
||||
notify: restart mysql
|
||||
|
||||
- name: Create slow query log file (if configured).
|
||||
command: "touch {{ mysql_slow_query_log_file }}"
|
||||
args:
|
||||
creates: "{{ mysql_slow_query_log_file }}"
|
||||
warn: false
|
||||
when: mysql_slow_query_log_enabled
|
||||
|
||||
- name: Create datadir if it does not exist
|
||||
file:
|
||||
path: "{{ mysql_datadir }}"
|
||||
state: directory
|
||||
owner: mysql
|
||||
group: mysql
|
||||
mode: 0755
|
||||
setype: mysqld_db_t
|
||||
|
||||
- name: Set ownership on slow query log file (if configured).
|
||||
file:
|
||||
path: "{{ mysql_slow_query_log_file }}"
|
||||
state: file
|
||||
owner: mysql
|
||||
group: "{{ mysql_log_file_group }}"
|
||||
mode: 0640
|
||||
when: mysql_slow_query_log_enabled
|
||||
|
||||
- name: Create error log file (if configured).
|
||||
command: "touch {{ mysql_log_error }}"
|
||||
args:
|
||||
creates: "{{ mysql_log_error }}"
|
||||
warn: false
|
||||
when:
|
||||
- mysql_log | default(true)
|
||||
- mysql_log_error | default(false)
|
||||
tags: ['skip_ansible_galaxy']
|
||||
|
||||
- name: Set ownership on error log file (if configured).
|
||||
file:
|
||||
path: "{{ mysql_log_error }}"
|
||||
state: file
|
||||
owner: mysql
|
||||
group: "{{ mysql_log_file_group }}"
|
||||
mode: 0640
|
||||
when:
|
||||
- mysql_log | default(true)
|
||||
- mysql_log_error | default(false)
|
||||
tags: ['skip_ansible_galaxy']
|
||||
|
||||
- name: Ensure MySQL is started and enabled on boot.
|
||||
service: "name={{ mysql_daemon }} state=started enabled={{ mysql_enabled_on_startup }}"
|
||||
register: mysql_service_configuration
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: Ensure MySQL databases are present.
|
||||
mysql_db:
|
||||
name: "{{ item.name }}"
|
||||
collation: "{{ item.collation | default('utf8_general_ci') }}"
|
||||
encoding: "{{ item.encoding | default('utf8') }}"
|
||||
state: "{{ item.state | default('present') }}"
|
||||
with_items: "{{ mysql_databases }}"
|
|
@ -0,0 +1,26 @@
|
|||
---
|
||||
# Variable configuration.
|
||||
- include_tasks: variables.yml
|
||||
|
||||
# Setup/install tasks.
|
||||
- include_tasks: setup-RedHat.yml
|
||||
when: ansible_os_family == 'RedHat'
|
||||
|
||||
- include_tasks: setup-Debian.yml
|
||||
when: ansible_os_family == 'Debian'
|
||||
|
||||
- include_tasks: setup-Archlinux.yml
|
||||
when: ansible_os_family == 'Archlinux'
|
||||
|
||||
- name: Check if MySQL packages were installed.
|
||||
set_fact:
|
||||
mysql_install_packages: "{{ (rh_mysql_install_packages is defined and rh_mysql_install_packages.changed)
|
||||
or (deb_mysql_install_packages is defined and deb_mysql_install_packages.changed)
|
||||
or (arch_mysql_install_packages is defined and arch_mysql_install_packages.changed) }}"
|
||||
|
||||
# Configure MySQL.
|
||||
- include_tasks: configure.yml
|
||||
- include_tasks: secure-installation.yml
|
||||
- include_tasks: databases.yml
|
||||
- include_tasks: users.yml
|
||||
- include_tasks: replication.yml
|
|
@ -0,0 +1,58 @@
|
|||
---
|
||||
- name: Ensure replication user exists on master.
|
||||
mysql_user:
|
||||
name: "{{ mysql_replication_user.name }}"
|
||||
host: "{{ mysql_replication_user.host | default('%') }}"
|
||||
password: "{{ mysql_replication_user.password }}"
|
||||
priv: "{{ mysql_replication_user.priv | default('*.*:REPLICATION SLAVE,REPLICATION CLIENT') }}"
|
||||
state: present
|
||||
when:
|
||||
- mysql_replication_role == 'master'
|
||||
- mysql_replication_user.name is defined
|
||||
- (mysql_replication_master | length) > 0
|
||||
tags: ['skip_ansible_galaxy']
|
||||
|
||||
- name: Check slave replication status.
|
||||
mysql_replication:
|
||||
mode: getslave
|
||||
login_user: "{{ mysql_replication_user.name }}"
|
||||
login_password: "{{ mysql_replication_user.password }}"
|
||||
ignore_errors: true
|
||||
register: slave
|
||||
when:
|
||||
- mysql_replication_role == 'slave'
|
||||
- (mysql_replication_master | length) > 0
|
||||
tags: ['skip_ansible_galaxy']
|
||||
|
||||
- name: Check master replication status.
|
||||
mysql_replication: mode=getmaster
|
||||
delegate_to: "{{ mysql_replication_master }}"
|
||||
register: master
|
||||
when:
|
||||
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Slave is not defined and slave is failed)
|
||||
- mysql_replication_role == 'slave'
|
||||
- (mysql_replication_master | length) > 0
|
||||
tags: ['skip_ansible_galaxy']
|
||||
|
||||
- name: Configure replication on the slave.
|
||||
mysql_replication:
|
||||
mode: changemaster
|
||||
master_host: "{{ mysql_replication_master }}"
|
||||
master_user: "{{ mysql_replication_user.name }}"
|
||||
master_password: "{{ mysql_replication_user.password }}"
|
||||
master_log_file: "{{ master.File }}"
|
||||
master_log_pos: "{{ master.Position }}"
|
||||
ignore_errors: true
|
||||
when:
|
||||
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Slave is not defined and slave is failed)
|
||||
- mysql_replication_role == 'slave'
|
||||
- mysql_replication_user.name is defined
|
||||
- (mysql_replication_master | length) > 0
|
||||
|
||||
- name: Start replication.
|
||||
mysql_replication: mode=startslave
|
||||
when:
|
||||
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Slave is not defined and slave is failed)
|
||||
- mysql_replication_role == 'slave'
|
||||
- (mysql_replication_master | length) > 0
|
||||
tags: ['skip_ansible_galaxy']
|
|
@ -0,0 +1,86 @@
|
|||
---
|
||||
- name: Ensure default user is present.
|
||||
mysql_user:
|
||||
name: "{{ mysql_user_name }}"
|
||||
host: 'localhost'
|
||||
password: "{{ mysql_user_password }}"
|
||||
priv: '*.*:ALL,GRANT'
|
||||
state: present
|
||||
when: mysql_user_name != mysql_root_username
|
||||
|
||||
# Has to be after the password assignment, for idempotency.
|
||||
- name: Copy user-my.cnf file with password credentials.
|
||||
template:
|
||||
src: "user-my.cnf.j2"
|
||||
dest: "{{ mysql_user_home }}/.my.cnf"
|
||||
owner: "{{ mysql_user_name }}"
|
||||
mode: 0600
|
||||
when: >
|
||||
mysql_user_name != mysql_root_username
|
||||
and (mysql_install_packages | bool or mysql_user_password_update)
|
||||
|
||||
- name: Disallow root login remotely
|
||||
command: 'mysql -NBe "{{ item }}"'
|
||||
with_items:
|
||||
- DELETE FROM mysql.user WHERE User='{{ mysql_root_username }}' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
|
||||
changed_when: false
|
||||
|
||||
- name: Get list of hosts for the root user.
|
||||
command: mysql -NBe
|
||||
"SELECT Host
|
||||
FROM mysql.user
|
||||
WHERE User = '{{ mysql_root_username }}'
|
||||
ORDER BY (Host='localhost') ASC"
|
||||
register: mysql_root_hosts
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
when: mysql_install_packages | bool or mysql_root_password_update
|
||||
|
||||
# Note: We do not use mysql_user for this operation, as it doesn't always update
|
||||
# the root password correctly. See: https://goo.gl/MSOejW
|
||||
# Set root password for MySQL >= 5.7.x.
|
||||
- name: Update MySQL root password for localhost root account (5.7.x).
|
||||
shell: >
|
||||
mysql -u root -NBe
|
||||
'ALTER USER "{{ mysql_root_username }}"@"{{ item }}"
|
||||
IDENTIFIED WITH mysql_native_password BY "{{ mysql_root_password }}"; FLUSH PRIVILEGES;'
|
||||
with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
|
||||
when: >
|
||||
((mysql_install_packages | bool) or mysql_root_password_update)
|
||||
and ('5.7.' in mysql_cli_version.stdout or '8.0.' in mysql_cli_version.stdout)
|
||||
|
||||
# Set root password for MySQL < 5.7.x.
|
||||
- name: Update MySQL root password for localhost root account (< 5.7.x).
|
||||
shell: >
|
||||
mysql -NBe
|
||||
'SET PASSWORD FOR "{{ mysql_root_username }}"@"{{ item }}" = PASSWORD("{{ mysql_root_password }}"); FLUSH PRIVILEGES;'
|
||||
with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
|
||||
when: >
|
||||
((mysql_install_packages | bool) or mysql_root_password_update)
|
||||
and ('5.7.' not in mysql_cli_version.stdout and '8.0.' not in mysql_cli_version.stdout)
|
||||
|
||||
# Has to be after the root password assignment, for idempotency.
|
||||
- name: Copy .my.cnf file with root password credentials.
|
||||
template:
|
||||
src: "root-my.cnf.j2"
|
||||
dest: "{{ mysql_root_home }}/.my.cnf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
when: mysql_install_packages | bool or mysql_root_password_update
|
||||
|
||||
- name: Get list of hosts for the anonymous user.
|
||||
command: mysql -NBe 'SELECT Host FROM mysql.user WHERE User = ""'
|
||||
register: mysql_anonymous_hosts
|
||||
changed_when: false
|
||||
check_mode: false
|
||||
|
||||
- name: Remove anonymous MySQL users.
|
||||
mysql_user:
|
||||
name: ""
|
||||
host: "{{ item }}"
|
||||
state: absent
|
||||
with_items: "{{ mysql_anonymous_hosts.stdout_lines|default([]) }}"
|
||||
|
||||
- name: Remove MySQL test database.
|
||||
mysql_db: "name='test' state=absent"
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- name: Ensure MySQL Python libraries are installed.
|
||||
pacman: "name=mysql-python state=present"
|
||||
|
||||
- name: Ensure MySQL packages are installed.
|
||||
pacman: "name={{ mysql_packages }} state=present"
|
||||
register: arch_mysql_install_packages
|
||||
|
||||
- name: Run mysql_install_db if MySQL packages were changed.
|
||||
command: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
|
||||
when: arch_mysql_install_packages.changed
|
||||
tags: ['skip_ansible_lint']
|
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
- name: Check if MySQL is already installed.
|
||||
stat: path=/etc/init.d/mysql
|
||||
register: mysql_installed
|
||||
|
||||
- name: Update apt cache if MySQL is not yet installed.
|
||||
apt: update_cache=yes
|
||||
when: not mysql_installed.stat.exists
|
||||
|
||||
- name: Ensure MySQL Python libraries are installed.
|
||||
apt:
|
||||
name: "{{ mysql_python_package_debian }}"
|
||||
state: present
|
||||
|
||||
- name: Ensure MySQL packages are installed.
|
||||
apt:
|
||||
name: "{{ mysql_packages }}"
|
||||
state: present
|
||||
register: deb_mysql_install_packages
|
||||
|
||||
# Because Ubuntu starts MySQL as part of the install process, we need to stop
|
||||
# mysql and remove the logfiles in case the user set a custom log file size.
|
||||
- name: Ensure MySQL is stopped after initial install.
|
||||
service: "name={{ mysql_daemon }} state=stopped"
|
||||
when: not mysql_installed.stat.exists
|
||||
|
||||
- name: Delete innodb log files created by apt package after initial install.
|
||||
file: path={{ mysql_datadir }}/{{ item }} state=absent
|
||||
with_items:
|
||||
- ib_logfile0
|
||||
- ib_logfile1
|
||||
when: not mysql_installed.stat.exists
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: Ensure MySQL packages are installed.
|
||||
yum:
|
||||
name: "{{ mysql_packages }}"
|
||||
state: present
|
||||
enablerepo: "{{ mysql_enablerepo | default(omit, true) }}"
|
||||
register: rh_mysql_install_packages
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
- name: Ensure MySQL users are present.
|
||||
mysql_user:
|
||||
name: "{{ item.name }}"
|
||||
host: "{{ item.host | default('localhost') }}"
|
||||
password: "{{ item.password }}"
|
||||
priv: "{{ item.priv | default('*.*:USAGE') }}"
|
||||
state: "{{ item.state | default('present') }}"
|
||||
append_privs: "{{ item.append_privs | default('no') }}"
|
||||
encrypted: "{{ item.encrypted | default('no') }}"
|
||||
with_items: "{{ mysql_users }}"
|
||||
no_log: true
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
# Variable configuration.
|
||||
- name: Include OS-specific variables.
|
||||
include_vars: "{{ item }}"
|
||||
with_first_found:
|
||||
- files:
|
||||
- "vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
|
||||
- "vars/{{ ansible_os_family }}.yml"
|
||||
skip: true
|
||||
|
||||
- name: Define mysql_packages.
|
||||
set_fact:
|
||||
mysql_packages: "{{ __mysql_packages | list }}"
|
||||
when: mysql_packages is not defined
|
||||
|
||||
- name: Define mysql_daemon.
|
||||
set_fact:
|
||||
mysql_daemon: "{{ __mysql_daemon }}"
|
||||
when: mysql_daemon is not defined
|
||||
|
||||
- name: Define mysql_slow_query_log_file.
|
||||
set_fact:
|
||||
mysql_slow_query_log_file: "{{ __mysql_slow_query_log_file }}"
|
||||
when: mysql_slow_query_log_file is not defined
|
||||
|
||||
- name: Define mysql_log_error.
|
||||
set_fact:
|
||||
mysql_log_error: "{{ __mysql_log_error }}"
|
||||
when: mysql_log_error is not defined
|
||||
|
||||
- name: Define mysql_syslog_tag.
|
||||
set_fact:
|
||||
mysql_syslog_tag: "{{ __mysql_syslog_tag }}"
|
||||
when: mysql_syslog_tag is not defined
|
||||
|
||||
- name: Define mysql_pid_file.
|
||||
set_fact:
|
||||
mysql_pid_file: "{{ __mysql_pid_file }}"
|
||||
when: mysql_pid_file is not defined
|
||||
|
||||
- name: Define mysql_config_file.
|
||||
set_fact:
|
||||
mysql_config_file: "{{ __mysql_config_file }}"
|
||||
when: mysql_config_file is not defined
|
||||
|
||||
- name: Define mysql_config_include_dir.
|
||||
set_fact:
|
||||
mysql_config_include_dir: "{{ __mysql_config_include_dir }}"
|
||||
when: mysql_config_include_dir is not defined
|
||||
|
||||
- name: Define mysql_socket.
|
||||
set_fact:
|
||||
mysql_socket: "{{ __mysql_socket }}"
|
||||
when: mysql_socket is not defined
|
||||
|
||||
- name: Define mysql_supports_innodb_large_prefix.
|
||||
set_fact:
|
||||
mysql_supports_innodb_large_prefix: "{{ __mysql_supports_innodb_large_prefix }}"
|
||||
when: mysql_supports_innodb_large_prefix is not defined
|
|
@ -0,0 +1,124 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
[client]
|
||||
#password = your_password
|
||||
port = {{ mysql_port }}
|
||||
socket = {{ mysql_socket }}
|
||||
|
||||
[mysqld]
|
||||
port = {{ mysql_port }}
|
||||
bind-address = {{ mysql_bind_address }}
|
||||
datadir = {{ mysql_datadir }}
|
||||
socket = {{ mysql_socket }}
|
||||
pid-file = {{ mysql_pid_file }}
|
||||
{% if mysql_skip_name_resolve %}
|
||||
skip-name-resolve
|
||||
{% endif %}
|
||||
{% if mysql_sql_mode is not none %}
|
||||
sql_mode = {{ mysql_sql_mode }}
|
||||
{% endif %}
|
||||
|
||||
# Logging configuration.
|
||||
{% if mysql_log_error == 'syslog' or mysql_log == 'syslog' %}
|
||||
syslog
|
||||
syslog-tag = {{ mysql_syslog_tag }}
|
||||
{% else %}
|
||||
{% if mysql_log %}
|
||||
log = {{ mysql_log }}
|
||||
{% endif %}
|
||||
log-error = {{ mysql_log_error }}
|
||||
{% endif %}
|
||||
|
||||
{% if mysql_slow_query_log_enabled %}
|
||||
# Slow query log configuration.
|
||||
slow_query_log = 1
|
||||
slow_query_log_file = {{ mysql_slow_query_log_file }}
|
||||
long_query_time = {{ mysql_slow_query_time }}
|
||||
{% endif %}
|
||||
|
||||
{% if mysql_replication_master %}
|
||||
# Replication
|
||||
server-id = {{ mysql_server_id }}
|
||||
|
||||
{% if mysql_replication_role == 'master' %}
|
||||
log_bin = mysql-bin
|
||||
log-bin-index = mysql-bin.index
|
||||
expire_logs_days = {{ mysql_expire_logs_days }}
|
||||
max_binlog_size = {{ mysql_max_binlog_size }}
|
||||
binlog_format = {{mysql_binlog_format}}
|
||||
|
||||
{% for db in mysql_databases %}
|
||||
{% if db.replicate|default(1) %}
|
||||
binlog_do_db = {{ db.name }}
|
||||
{% else %}
|
||||
binlog_ignore_db = {{ db.name }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if mysql_replication_role == 'slave' %}
|
||||
read_only
|
||||
relay-log = relay-bin
|
||||
relay-log-index = relay-bin.index
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# Disabling symbolic-links is recommended to prevent assorted security risks
|
||||
symbolic-links = 0
|
||||
|
||||
# User is ignored when systemd is used (fedora >= 15).
|
||||
user = mysql
|
||||
|
||||
# http://dev.mysql.com/doc/refman/5.5/en/performance-schema.html
|
||||
;performance_schema
|
||||
|
||||
# Memory settings.
|
||||
key_buffer_size = {{ mysql_key_buffer_size }}
|
||||
max_allowed_packet = {{ mysql_max_allowed_packet }}
|
||||
table_open_cache = {{ mysql_table_open_cache }}
|
||||
sort_buffer_size = {{ mysql_sort_buffer_size }}
|
||||
read_buffer_size = {{ mysql_read_buffer_size }}
|
||||
read_rnd_buffer_size = {{ mysql_read_rnd_buffer_size }}
|
||||
myisam_sort_buffer_size = {{ mysql_myisam_sort_buffer_size }}
|
||||
thread_cache_size = {{ mysql_thread_cache_size }}
|
||||
{% if '8.0.' not in mysql_cli_version.stdout %}
|
||||
query_cache_type = {{ mysql_query_cache_type }}
|
||||
query_cache_size = {{ mysql_query_cache_size }}
|
||||
query_cache_limit = {{ mysql_query_cache_limit }}
|
||||
{% endif %}
|
||||
max_connections = {{ mysql_max_connections }}
|
||||
tmp_table_size = {{ mysql_tmp_table_size }}
|
||||
max_heap_table_size = {{ mysql_max_heap_table_size }}
|
||||
group_concat_max_len = {{ mysql_group_concat_max_len }}
|
||||
join_buffer_size = {{ mysql_join_buffer_size }}
|
||||
|
||||
# Other settings.
|
||||
wait_timeout = {{ mysql_wait_timeout }}
|
||||
lower_case_table_names = {{ mysql_lower_case_table_names }}
|
||||
event_scheduler = {{ mysql_event_scheduler_state }}
|
||||
|
||||
# InnoDB settings.
|
||||
{% if mysql_supports_innodb_large_prefix and '8.0.' not in mysql_cli_version.stdout %}
|
||||
innodb_large_prefix = {{ mysql_innodb_large_prefix }}
|
||||
innodb_file_format = {{ mysql_innodb_file_format }}
|
||||
{% endif %}
|
||||
innodb_file_per_table = {{ mysql_innodb_file_per_table }}
|
||||
innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
|
||||
innodb_log_file_size = {{ mysql_innodb_log_file_size }}
|
||||
innodb_log_buffer_size = {{ mysql_innodb_log_buffer_size }}
|
||||
innodb_flush_log_at_trx_commit = {{ mysql_innodb_flush_log_at_trx_commit }}
|
||||
innodb_lock_wait_timeout = {{ mysql_innodb_lock_wait_timeout }}
|
||||
|
||||
[mysqldump]
|
||||
quick
|
||||
max_allowed_packet = {{ mysql_mysqldump_max_allowed_packet }}
|
||||
|
||||
[mysqld_safe]
|
||||
pid-file = {{ mysql_pid_file }}
|
||||
|
||||
{% if mysql_config_include_files | length %}
|
||||
# * IMPORTANT: Additional settings that can override those from this file!
|
||||
# The files must end with '.cnf', otherwise they'll be ignored.
|
||||
#
|
||||
!includedir {{ mysql_config_include_dir }}
|
||||
{% endif %}
|
|
@ -0,0 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
[client]
|
||||
user="{{ mysql_root_username }}"
|
||||
password="{{ mysql_root_password }}"
|
|
@ -0,0 +1,5 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
[client]
|
||||
user="{{ mysql_user_name }}"
|
||||
password="{{ mysql_user_password }}"
|
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
__mysql_daemon: mariadb
|
||||
__mysql_packages:
|
||||
- mariadb
|
||||
__mysql_slow_query_log_file: /var/log/mysql/mysql-slow.log
|
||||
__mysql_log_error: /var/log/mysql.err
|
||||
__mysql_syslog_tag: mysql
|
||||
__mysql_pid_file: /run/mysqld/mysqld.pid
|
||||
__mysql_config_file: /etc/mysql/my.cnf
|
||||
__mysql_config_include_dir: /etc/mysql/conf.d
|
||||
__mysql_socket: /run/mysqld/mysqld.sock
|
||||
__mysql_supports_innodb_large_prefix: true
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
__mysql_daemon: mariadb
|
||||
__mysql_packages:
|
||||
- default-mysql-server
|
||||
mysql_log_file_group: adm
|
||||
__mysql_slow_query_log_file: /var/log/mysql/mysql-slow.log
|
||||
__mysql_log_error: /var/log/mysql/mysql.log
|
||||
__mysql_syslog_tag: mariadb
|
||||
__mysql_pid_file: /run/mysqld/mysqld.pid
|
||||
__mysql_config_file: /etc/mysql/my.cnf
|
||||
__mysql_config_include_dir: /etc/mysql/conf.d
|
||||
__mysql_socket: /run/mysqld/mysqld.sock
|
||||
__mysql_supports_innodb_large_prefix: true
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
__mysql_daemon: mysql
|
||||
__mysql_packages:
|
||||
- mysql-common
|
||||
- mysql-server
|
||||
mysql_log_file_group: adm
|
||||
__mysql_slow_query_log_file: /var/log/mysql/mysql-slow.log
|
||||
__mysql_log_error: /var/log/mysql/mysql.err
|
||||
__mysql_syslog_tag: mysql
|
||||
__mysql_pid_file: /var/run/mysqld/mysqld.pid
|
||||
__mysql_config_file: /etc/mysql/my.cnf
|
||||
__mysql_config_include_dir: /etc/mysql/conf.d
|
||||
__mysql_socket: /var/run/mysqld/mysqld.sock
|
||||
__mysql_supports_innodb_large_prefix: true
|
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
__mysql_daemon: mariadb
|
||||
__mysql_packages:
|
||||
- mariadb
|
||||
- mariadb-server
|
||||
- mariadb-libs
|
||||
- MySQL-python
|
||||
- perl-DBD-MySQL
|
||||
__mysql_slow_query_log_file: /var/log/mysql-slow.log
|
||||
__mysql_log_error: /var/log/mariadb/mariadb.log
|
||||
__mysql_syslog_tag: mariadb
|
||||
__mysql_pid_file: /var/run/mariadb/mariadb.pid
|
||||
__mysql_config_file: /etc/my.cnf
|
||||
__mysql_config_include_dir: /etc/my.cnf.d
|
||||
__mysql_socket: /var/lib/mysql/mysql.sock
|
||||
__mysql_supports_innodb_large_prefix: true
|
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
__mysql_daemon: mariadb
|
||||
__mysql_packages:
|
||||
- mariadb
|
||||
- mariadb-server
|
||||
- mariadb-connector-c
|
||||
- python3-PyMySQL
|
||||
- perl-DBD-MySQL
|
||||
__mysql_slow_query_log_file: /var/log/mysql-slow.log
|
||||
__mysql_log_error: /var/log/mariadb/mariadb.log
|
||||
__mysql_syslog_tag: mariadb
|
||||
__mysql_pid_file: /var/run/mariadb/mariadb.pid
|
||||
__mysql_config_file: /etc/my.cnf
|
||||
__mysql_config_include_dir: /etc/my.cnf.d
|
||||
__mysql_socket: /var/lib/mysql/mysql.sock
|
||||
# The entries controlled by this value should not be used with MariaDB >= 10.2.2
|
||||
# See https://github.com/frappe/bench/issues/681#issuecomment-398984706
|
||||
__mysql_supports_innodb_large_prefix: false
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
language: python
|
||||
python: "2.7"
|
||||
|
||||
# Use the new container infrastructure
|
||||
sudo: false
|
||||
|
||||
# Install ansible
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- python-pip
|
||||
|
||||
install:
|
||||
# Install ansible
|
||||
- pip install ansible
|
||||
|
||||
# Check ansible version
|
||||
- ansible --version
|
||||
|
||||
# Create ansible.cfg with correct roles_path
|
||||
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
||||
|
||||
script:
|
||||
# Basic role syntax check
|
||||
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
@ -0,0 +1,38 @@
|
|||
Role Name
|
||||
=========
|
||||
|
||||
A brief description of the role goes here.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
|
||||
|
||||
Dependencies
|
||||
------------
|
||||
|
||||
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
|
||||
|
||||
- hosts: servers
|
||||
roles:
|
||||
- { role: username.rolename, x: 42 }
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
BSD
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
# defaults file for nll-dn42
|
|
@ -0,0 +1,24 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
|
||||
WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
|
||||
aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
|
||||
NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
|
||||
CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
|
||||
BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
|
||||
A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
|
||||
VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
|
||||
6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
|
||||
FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
|
||||
y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
|
||||
GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
|
||||
AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
|
||||
bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
|
||||
HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
|
||||
//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
|
||||
S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
|
||||
aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
|
||||
P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
|
||||
9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
|
||||
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
|
||||
C0IKqQ==
|
||||
-----END CERTIFICATE-----
|
|
@ -0,0 +1,32 @@
|
|||
# For Quagga Rules:
|
||||
# cat filter.txt | \
|
||||
# grep -e ^[0-9] | \
|
||||
# awk '{ print "ip prefix-list dn42-in seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | \
|
||||
# sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g"
|
||||
#
|
||||
# For BIRD Rules: (see also: utils/bgp-filter.rb)
|
||||
# cat filter.txt | \
|
||||
# awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n" } \
|
||||
# /^[0-9]/ && $2 ~ /permit/ {printf " %s{%s,%s},\n", $3, $4, $5};' | \
|
||||
# sed "$ s/,$/\n ];\n}/"
|
||||
|
||||
# The rules MUST be sorted by the number column first and then the first matching rule MUST be used.
|
||||
# ROAs MUST be checked against these rules and max-length of the ROA NUST NOT be longer than allowed by the matching rule.
|
||||
|
||||
#Nr Action Prefix MinLen MaxLen
|
||||
|
||||
0001 deny 172.22.166.0/24 24 32 # Black List due not responding to abuse mails after wiki grief.
|
||||
|
||||
1001 permit 172.20.0.0/24 28 32 # dn42 Anycast range
|
||||
1002 permit 172.21.0.0/24 28 32 # dn42 Anycast range
|
||||
1003 permit 172.22.0.0/24 28 32 # dn42 Anycast range
|
||||
1004 permit 172.23.0.0/24 28 32 # dn42 Anycast range
|
||||
1100 permit 172.20.0.0/14 21 29 # dn42 main net
|
||||
|
||||
2001 permit 10.100.0.0/14 14 32 # chaosvpn
|
||||
2002 permit 10.127.0.0/16 16 32 # neonetwork
|
||||
2003 permit 10.0.0.0/8 15 24 # freifunk
|
||||
|
||||
3001 permit 172.31.0.0/16 16 32 # chaosvpn
|
||||
|
||||
9999 deny 0.0.0.0/0 0 32 # block the rest
|
|
@ -0,0 +1,19 @@
|
|||
# To Quagga Rules:
|
||||
# cat filter6.txt | \
|
||||
# grep -e ^[0-9] | \
|
||||
# awk '{ print "ipv prefix-list dn42v6-in seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | \
|
||||
# sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g"
|
||||
#
|
||||
# For BIRD Rules: (see also: utils/bgp-filter.rb)
|
||||
# cat filter6.txt | \
|
||||
# awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n" } \
|
||||
# /^[0-9]/ && $2 ~ /permit/ {printf " %s{%s,%s},\n", $3, $4, $5};' | \
|
||||
# sed "$ s/,$/\n ];\n}/"
|
||||
|
||||
# The rules MUST be sorted by the number column first and then the first matching rule MUST be used. # ROAs MUST be checked against these rules and max-length of the ROA NUST NOT be longer than allowed by the matching rule.
|
||||
|
||||
# Nr Action Prefix MinLen MaxLen # Comment
|
||||
|
||||
1001 permit fd00::/8 44 64 # ULA (defined)
|
||||
|
||||
9999 deny ::/0 0 128 # block the rest
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,201 @@
|
|||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright [yyyy] [name of copyright owner]
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
|
@ -0,0 +1,17 @@
|
|||
Configurable modular Prometheus exporter for various node metrics.
|
||||
Copyright 2013-2015 The Prometheus Authors
|
||||
|
||||
This product includes software developed at
|
||||
SoundCloud Ltd. (http://soundcloud.com/).
|
||||
|
||||
The following components are included in this product:
|
||||
|
||||
wifi
|
||||
https://github.com/mdlayher/wifi
|
||||
Copyright 2016-2017 Matt Layher
|
||||
Licensed under the MIT License
|
||||
|
||||
netlink
|
||||
https://github.com/mdlayher/netlink
|
||||
Copyright 2016-2017 Matt Layher
|
||||
Licensed under the MIT License
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,3 @@
|
|||
nameserver 172.21.74.134
|
||||
nameserver 172.21.74.135
|
||||
nameserver 2620:fe::fe
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
|
||||
|
||||
while read pl
|
||||
do
|
||||
vtysh -c 'conf t' -c "$pl"; #insert prefix list row by row
|
||||
done < <(cat filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
|
||||
vtysh -c "wr" #write new prefix list
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,24 @@
|
|||
#!/usr/bin/env python
|
||||
"""
|
||||
Ansible filter plugin to convert key/val based array
|
||||
into a key:val dictionary.
|
||||
Filter supports custom names for key/val.
|
||||
|
||||
Author: DevOps <devops@flaconi.de>
|
||||
Version: v0.1
|
||||
Date: 2018-05-24
|
||||
|
||||
Usage:
|
||||
var: "{{ an.array | default({}) | get_attr('key', 'val') }}"
|
||||
"""
|
||||
|
||||
class FilterModule(object):
|
||||
def filters(self):
|
||||
return {
|
||||
'get_attr': filter_list
|
||||
}
|
||||
def filter_list(array, key, value):
|
||||
a = {}
|
||||
for i in array:
|
||||
a[i[key]] = i[value]
|
||||
return a
|
|
@ -0,0 +1,3 @@
|
|||
class FilterModule(object):
|
||||
def filters(self):
|
||||
return { 'makedict': lambda _val, _list: { k: _val for k in _list } }
|
|
@ -0,0 +1,2 @@
|
|||
---
|
||||
# handlers file for nll-dn42
|
|
@ -0,0 +1,52 @@
|
|||
galaxy_info:
|
||||
author: your name
|
||||
description: your role description
|
||||
company: your company (optional)
|
||||
|
||||
# If the issue tracker for your role is not on github, uncomment the
|
||||
# next line and provide a value
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
# Choose a valid license ID from https://spdx.org - some suggested licenses:
|
||||
# - BSD-3-Clause (default)
|
||||
# - MIT
|
||||
# - GPL-2.0-or-later
|
||||
# - GPL-3.0-only
|
||||
# - Apache-2.0
|
||||
# - CC-BY-4.0
|
||||
license: license (GPL-2.0-or-later, MIT, etc)
|
||||
|
||||
min_ansible_version: 2.1
|
||||
|
||||
# If this a Container Enabled role, provide the minimum Ansible Container version.
|
||||
# min_ansible_container_version:
|
||||
|
||||
#
|
||||
# Provide a list of supported platforms, and for each platform a list of versions.
|
||||
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
|
||||
# To view available platforms and versions (or releases), visit:
|
||||
# https://galaxy.ansible.com/api/v1/platforms/
|
||||
#
|
||||
# platforms:
|
||||
# - name: Fedora
|
||||
# versions:
|
||||
# - all
|
||||
# - 25
|
||||
# - name: SomePlatform
|
||||
# versions:
|
||||
# - all
|
||||
# - 1.0
|
||||
# - 7
|
||||
# - 99.99
|
||||
|
||||
galaxy_tags: []
|
||||
# List tags for your role here, one per line. A tag is a keyword that describes
|
||||
# and categorizes the role. Users find roles by searching for tags. Be sure to
|
||||
# remove the '[]' above, if you add tags to this list.
|
||||
#
|
||||
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
|
||||
# Maximum 20 tags per role.
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: Allow prometheus endpoints not from default wan
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
in_interface: "{{ dn42.main_if }}"
|
||||
jump: DROP
|
||||
destination_ports: 9000:9900
|
||||
protocol: tcp
|
||||
|
||||
- name: Allow prometheus endpoints not from default wan
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
in_interface: "{{ dn42.main_if }}"
|
||||
jump: DROP
|
||||
destination_ports: 9000:9900
|
||||
protocol: tcp
|
||||
ip_version: ipv6
|
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
- name: Install packages needed on all nodes for bootstrapping
|
||||
apt:
|
||||
pkg:
|
||||
- gnupg2
|
||||
update_cache: yes
|
||||
- ansible.posix.sysctl:
|
||||
name: net.ipv4.ip_forward
|
||||
value: '1'
|
||||
sysctl_set: yes
|
||||
state: present
|
||||
reload: yes
|
||||
loop:
|
||||
- net.ipv4.conf.all.forwarding
|
||||
- net.ipv6.conf.all.forwarding
|
||||
|
||||
- ansible.posix.sysctl:
|
||||
name: "{{ item }}"
|
||||
value: '0'
|
||||
sysctl_set: yes
|
||||
state: present
|
||||
reload: yes
|
||||
loop:
|
||||
- net.ipv4.conf.all.rp_filter
|
||||
- net.ipv4.conf.default.rp_filter
|
||||
|
||||
- name: Install FRR apt-key
|
||||
ansible.builtin.apt_key:
|
||||
url: https://deb.frrouting.org/frr/keys.asc
|
||||
state: present
|
||||
|
||||
- name: Add FRR apt-repos
|
||||
ansible.builtin.apt_repository:
|
||||
repo: deb https://deb.frrouting.org/frr {{ ansible_distribution_release }} frr-8
|
||||
|
||||
- name: Install packages needed on all nodes
|
||||
apt:
|
||||
pkg:
|
||||
- wireguard
|
||||
- wireguard-tools
|
||||
- frr
|
||||
- frr-pythontools
|
||||
- vim
|
||||
- ufw
|
||||
update_cache: yes
|
||||
|
||||
- name: Copy dn42 CA cert
|
||||
ansible.builtin.copy:
|
||||
src: ./dn42-ca.crt
|
||||
dest: /usr/local/share/ca-certificates/dn42.crt
|
||||
|
||||
- name: Update ca-certificates
|
||||
ansible.builtin.shell:
|
||||
update-ca-certificates
|
||||
|
||||
- name: Deploy resolv.conf
|
||||
ansible.builtin.copy:
|
||||
src: ./resolv.conf
|
||||
dest: /etc/resolv.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
|
@ -0,0 +1,39 @@
|
|||
- name: Check if we already have a key
|
||||
ansible.builtin.stat:
|
||||
path: /etc/wireguard/dn42-nll-{{ item | replace("dn42-", "") }}.conf
|
||||
loop: "{{ groups['dn42-router'] | difference([inventory_hostname]) }}"
|
||||
register: dn42_internal_keys_exist
|
||||
|
||||
- name: Generate missing private keys
|
||||
ansible.builtin.shell: privkey=$(wg genkey); pubkey=$( echo $privkey | wg pubkey ); echo $privkey; echo $pubkey
|
||||
loop: "{{ groups['dn42-router'] | difference([inventory_hostname]) | difference(hosts_already_with_configs)}}"
|
||||
vars:
|
||||
hosts_already_with_configs: "{{ dn42_internal_keys_exist.results | selectattr('stat.exists', 'equalto', True) | map(attribute='item') }}"
|
||||
register: wg_privkeys
|
||||
|
||||
- name: Get keys from all hosts where a file already exists
|
||||
ansible.builtin.shell:
|
||||
cmd: "priv=$(grep PrivateKey /etc/wireguard/dn42-nll-{{ item | replace('dn42-', '') }}.conf); priv=${priv#'PrivateKey = '}; echo $priv; echo $priv | wg pubkey"
|
||||
loop: "{{ dn42_internal_keys_exist.results | selectattr('stat.exists', 'equalto', True) | map(attribute='item') }}"
|
||||
register: existing_private_keys
|
||||
check_mode: False
|
||||
|
||||
- name: Write wg-keys to variable
|
||||
ansible.builtin.set_fact:
|
||||
internal_wg: "{{ internal_wg + [ { 'peer': item.item, 'privkey': item.stdout_lines[0], 'pubkey': item.stdout_lines[1], 'listen_port': current_listen_port } ] }}"
|
||||
current_listen_port: "{{ current_listen_port|int + 1 }}"
|
||||
loop: "{{ wg_privkeys.results + existing_private_keys.results }}"
|
||||
|
||||
- name: Generate dn42 wireguard configs
|
||||
ansible.builtin.template:
|
||||
src: dn42-wireguard-internal.conf.j2
|
||||
dest: /etc/wireguard/dn42-nll-{{ item.peer | replace('dn42-', '') }}.conf
|
||||
mode: "0640"
|
||||
loop: "{{ internal_wg | rejectattr('no_wireguard', 'defined') }}"
|
||||
|
||||
- name: Generate dn42 network configs
|
||||
ansible.builtin.template:
|
||||
src: dn42-network-internal.j2
|
||||
dest: /etc/network/interfaces.d/dn42-nll-{{ item.peer | replace('dn42-', '') }}
|
||||
mode: "0644"
|
||||
loop: "{{ internal_wg }}"
|
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
- name: Install base foo
|
||||
ansible.builtin.include_tasks:
|
||||
file: install_base.yml
|
||||
- name: Include firewall config
|
||||
ansible.builtin.include_tasks:
|
||||
file: configure_firewall.yml
|
||||
- name: Install configs for internal routing
|
||||
ansible.builtin.include_tasks:
|
||||
file: internal_network.yml
|
||||
- name: Include basic router config
|
||||
ansible.builtin.include_tasks:
|
||||
file: router_config.yml
|
||||
- name: Include monitoring config
|
||||
ansible.builtin.include_tasks:
|
||||
file: monitoring.yml
|
||||
|
||||
- name: Generate dn42 wireguard configs
|
||||
ansible.builtin.template:
|
||||
src: dn42-wireguard.conf.j2
|
||||
dest: /etc/wireguard/dn42-{{ item.name }}.conf
|
||||
mode: "0640"
|
||||
loop: "{{ dn42.peers | rejectattr('no_wireguard', 'defined') }}"
|
||||
|
||||
- name: IPv6 DN42 Dummy Interface
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/network/interfaces
|
||||
block: |
|
||||
auto dummy0
|
||||
iface dummy0
|
||||
link-type dummy
|
||||
address {{ dn42.dn42_ipv6 }}
|
||||
|
||||
- name: Generate dn42 network configs
|
||||
ansible.builtin.template:
|
||||
src: dn42-network.conf.j2
|
||||
dest: /etc/network/interfaces.d/dn42-{{ item.name }}
|
||||
mode: "0644"
|
||||
loop: "{{ dn42.peers | rejectattr('no_wireguard', 'defined') }}"
|
||||
|
||||
|
||||
#- name: Generate frr config
|
||||
# ansible.builtin.template:
|
||||
# src: frr.conf.j2
|
||||
# dest: /etc/frr/frr.conf
|
||||
# owner: frr
|
||||
# group: frr
|
||||
# mode: "0640"
|
||||
|
||||
# tasks file for nll-dn42
|
|
@ -0,0 +1,128 @@
|
|||
### Node Exporter ###
|
||||
|
||||
- name: Install node_exporter on all nodes
|
||||
ansible.builtin.copy:
|
||||
src: node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
|
||||
dest: /opt/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
|
||||
register: node_exporter_copy
|
||||
|
||||
- name: Extract node_exporter
|
||||
ansible.builtin.command:
|
||||
chdir: /opt
|
||||
cmd: tar xvfz node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
|
||||
when: node_exporter_copy.changed
|
||||
|
||||
- name: Link folder to node_exporter
|
||||
ansible.builtin.file:
|
||||
src: /opt/node_exporter-{{ node_exporter_version }}.linux-amd64
|
||||
dest: /opt/node_exporter
|
||||
state: link
|
||||
|
||||
- name: Create user node_exporter
|
||||
ansible.builtin.user:
|
||||
name: node_exporter
|
||||
shell: /sbin/nologin
|
||||
|
||||
- name: Creating node_exporter sysconfig file
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/node_exporter
|
||||
content: |
|
||||
OPTIONS="--collector.textfile.directory /var/lib/node_exporter/textfile_collector"
|
||||
|
||||
- name: Create textfile_collector dir
|
||||
ansible.builtin.file:
|
||||
path: /var/lib/node_exporter/textfile_collector
|
||||
state: directory
|
||||
owner: node_exporter
|
||||
group: node_exporter
|
||||
|
||||
- name: Creating node_exporter systemd unit
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/systemd/system/node_exporter.service
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Node Exporter
|
||||
|
||||
[Service]
|
||||
User=node_exporter
|
||||
EnvironmentFile=/etc/node_exporter
|
||||
ExecStart=/opt/node_exporter/node_exporter $OPTIONS
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- name: Start and enable node_exporter systemd service
|
||||
ansible.builtin.systemd:
|
||||
name: node_exporter
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
state: started
|
||||
|
||||
### FRR Exporter ###
|
||||
|
||||
- name: Install frr_exporter on all nodes
|
||||
ansible.builtin.copy:
|
||||
src: frr_exporter
|
||||
dest: /usr/local/bin/frr_exporter
|
||||
mode: 0755
|
||||
|
||||
- name: Creating frr_exporter systemd unit
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/systemd/system/frr_exporter.service
|
||||
content: |
|
||||
[Unit]
|
||||
Description=FRR Exporter
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
ExecStart=/usr/local/bin/frr_exporter --collector.bgp6
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- name: Start and enable frr_exporter systemd service
|
||||
ansible.builtin.systemd:
|
||||
name: frr_exporter
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
state: started
|
||||
|
||||
### --- ###
|
||||
|
||||
### Wireguard Exporter ###
|
||||
|
||||
- name: Install wireguard exporter on all nodes
|
||||
ansible.builtin.copy:
|
||||
src: prometheus_wireguard_exporter
|
||||
dest: /usr/local/bin/prometheus_wireguard_exporter
|
||||
mode: 0755
|
||||
|
||||
- name: Creating frr_exporter systemd unit
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/systemd/system/wireguard_exporter.service
|
||||
content: |
|
||||
[Unit]
|
||||
Description=Wireguard Exporter
|
||||
|
||||
[Service]
|
||||
User=root
|
||||
ExecStart=/usr/local/bin/prometheus_wireguard_exporter $OPTIONS
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
- name: Start and enable wireguard_exporter systemd service
|
||||
ansible.builtin.systemd:
|
||||
name: wireguard_exporter
|
||||
enabled: yes
|
||||
daemon_reload: yes
|
||||
state: started
|
||||
|
||||
- name: Allow connections to port 9100 only from prometheus IP
|
||||
ansible.builtin.iptables:
|
||||
chain: INPUT
|
||||
destination_port: 9100
|
||||
protocol: tcp
|
||||
source: "! 172.21.74.128/26"
|
||||
jump: DROP
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
|
||||
- name: Create dn42 directory
|
||||
ansible.builtin.file:
|
||||
path: /var/dn42/
|
||||
state: directory
|
||||
|
||||
- name: Copy filter files
|
||||
ansible.builtin.copy:
|
||||
dest: /var/dn42/{{ item }}
|
||||
src: "{{ item }}"
|
||||
loop:
|
||||
- "filter.txt"
|
||||
- "filter6.txt"
|
||||
register: filter_list
|
||||
|
||||
- name: Deploy ipv4 filter lists
|
||||
ansible.builtin.shell:
|
||||
executable: /bin/bash
|
||||
cmd: |
|
||||
vtysh -c 'conf t' -c "no ip prefix-list dn42"
|
||||
while read pl
|
||||
do
|
||||
vtysh -c 'conf t' -c "$pl"
|
||||
done < <(cat /var/dn42/filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
|
||||
vtysh -c "wr" #write new prefix list
|
||||
|
||||
vtysh -c 'conf t' -c "no ipv6 prefix-list dn42"
|
||||
while read pl
|
||||
do
|
||||
vtysh -c 'conf t' -c "$pl"
|
||||
done < <(cat /var/dn42/filter6.txt | grep -e ^[0-9] | awk '{ print "ipv prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
|
||||
vtysh -c "wr" #write new prefix list
|
||||
when: filter_list.changed
|
|
@ -0,0 +1,11 @@
|
|||
{% set peer_entry = (hostvars[item.peer]['internal_wg'] | selectattr('peer', 'equalto', inventory_hostname) | first) %}
|
||||
{% set peer_name = "dn42-nll-" ~ (item.peer | replace('dn42-', '') ) %}
|
||||
|
||||
auto {{ peer_name }}
|
||||
iface {{ peer_name }}
|
||||
requires {{ dn42.main_if }}
|
||||
wireguard-config-path /etc/wireguard/{{ peer_name }}.conf
|
||||
address {{ dn42.internal_ipv4 }}
|
||||
point-to-point {{ hostvars[item.peer]["dn42"]["internal_ipv4"] }}
|
||||
address {{ dn42.internal_ipv6 }}/64
|
||||
post-up ip -6 r add {{ hostvars[item.peer]["dn42"]["internal_ipv6"] }} dev {{ peer_name }}
|
|
@ -0,0 +1,8 @@
|
|||
auto dn42-{{ item.name }}
|
||||
iface dn42-{{ item.name }}
|
||||
requires {{ dn42.main_if }}
|
||||
wireguard-config-path /etc/wireguard/dn42-{{ item.name }}.conf
|
||||
address {{ item.own_ipv4 }}
|
||||
point-to-point {{ item.remote_ipv4 }}
|
||||
address {{ item.own_ipv6 }}
|
||||
post-up ip -6 r add {{ item.remote_ipv6 }} dev dn42-{{ item.name }}
|
|
@ -0,0 +1,11 @@
|
|||
{% set peer_entry = (hostvars[item.peer]['internal_wg'] | selectattr('peer', 'equalto', inventory_hostname) | first) %}
|
||||
|
||||
[Interface]
|
||||
PrivateKey = {{ item.privkey }}
|
||||
ListenPort = {{ item.listen_port }}
|
||||
|
||||
[Peer]
|
||||
Endpoint = {{ hostvars[item.peer]['ansible_host'] }}:{{ peer_entry['listen_port'] }}
|
||||
PublicKey = {{ peer_entry['pubkey'] }}
|
||||
AllowedIPs = 0.0.0.0/0,::/0
|
||||
PersistentKeepalive = 25
|
|
@ -0,0 +1,11 @@
|
|||
[Interface]
|
||||
PrivateKey = {{ item.own_privkey }}
|
||||
{% if item.listen_port is defined %}
|
||||
ListenPort = {{ item.listen_port }}
|
||||
{% endif %}
|
||||
|
||||
[Peer]
|
||||
Endpoint = {{ item.endpoint }}
|
||||
PublicKey = {{ item.remote_pubkey }}
|
||||
AllowedIPs = 0.0.0.0/0,::/0
|
||||
PersistentKeepalive = 25
|
|
@ -0,0 +1,100 @@
|
|||
frr version 8.1
|
||||
frr defaults traditional
|
||||
hostname {{ inventory_hostname }}
|
||||
log file /var/log/frr/frr.log
|
||||
log stdout
|
||||
log syslog
|
||||
service integrated-vtysh-config
|
||||
!
|
||||
debug bgp updates in
|
||||
debug bgp updates out
|
||||
!
|
||||
ip router-id {{ dn42.internal_ipv4 | ansible.netcommon.ipaddr('address') }}
|
||||
!
|
||||
router babel
|
||||
{% for internal_peer in internal_wg %}
|
||||
{% set peer_name = "dn42-nll-" ~ (internal_peer.peer | replace('dn42-', '') ) %}
|
||||
{% if internal_peer.peer|string != inventory_hostname|string %}
|
||||
network {{ peer_name }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
redistribute ipv4 connected
|
||||
redistribute ipv4 bgp
|
||||
redistribute ipv6 connected
|
||||
redistribute ipv6 bgp
|
||||
exit
|
||||
!
|
||||
router bgp 4242423767
|
||||
neighbor PUBLIC_TRANSIT peer-group
|
||||
neighbor PUBLIC_TRANSIT_V6 peer-group
|
||||
{% for neighbor in dn42.peers %}
|
||||
|
||||
neighbor {{ neighbor.remote_ipv4 }} remote-as {{ neighbor.remote_as }}
|
||||
neighbor {{ neighbor.remote_ipv4 }} peer-group PUBLIC_TRANSIT
|
||||
neighbor {{ neighbor.remote_ipv4 }} description {{ neighbor.name }}
|
||||
neighbor {{ neighbor.remote_ipv6 }} remote-as {{ neighbor.remote_as}}
|
||||
neighbor {{ neighbor.remote_ipv6 }} peer-group PUBLIC_TRANSIT_V6
|
||||
neighbor {{ neighbor.remote_ipv6 }} description {{ neighbor.name }}_v6
|
||||
neighbor {{ neighbor.remote_ipv6 }} interface dn42-{{ neighbor.name }}
|
||||
!
|
||||
{% endfor %}
|
||||
!
|
||||
address-family ipv4 unicast
|
||||
network 172.21.74.128/26
|
||||
neighbor PUBLIC_TRANSIT prefix-list dn42 in
|
||||
neighbor PUBLIC_TRANSIT prefix-list dn42 out
|
||||
neighbor PUBLIC_TRANSIT route-map RM_SET_SRC out
|
||||
no neighbor PUBLIC_TRANSIT_V6 activate
|
||||
exit-address-family
|
||||
!
|
||||
address-family ipv6 unicast
|
||||
network fd68:a3ea:7c9a::/48
|
||||
neighbor PUBLIC_TRANSIT_V6 activate
|
||||
neighbor PUBLIC_TRANSIT_V6 prefix-list dn42 in
|
||||
neighbor PUBLIC_TRANSIT_V6 prefix-list dn42 out
|
||||
exit-address-family
|
||||
exit
|
||||
!
|
||||
ip prefix-list allow-only-own seq 10 permit 172.21.74.128/26
|
||||
ip prefix-list allow-only-own seq 9999 deny 0.0.0.0/0 le 32
|
||||
ip prefix-list dn42 seq 1 deny 172.22.166.0/24 le 32
|
||||
ip prefix-list dn42 seq 1001 permit 172.20.0.0/24 ge 28 le 32
|
||||
ip prefix-list dn42 seq 1002 permit 172.21.0.0/24 ge 28 le 32
|
||||
ip prefix-list dn42 seq 1003 permit 172.22.0.0/24 ge 28 le 32
|
||||
ip prefix-list dn42 seq 1004 permit 172.23.0.0/24 ge 28 le 32
|
||||
ip prefix-list dn42 seq 1100 permit 172.20.0.0/14 ge 21 le 29
|
||||
ip prefix-list dn42 seq 2001 permit 10.100.0.0/14 le 32
|
||||
ip prefix-list dn42 seq 2002 permit 10.127.0.0/16 le 32
|
||||
ip prefix-list dn42 seq 2003 permit 10.0.0.0/8 ge 15 le 24
|
||||
ip prefix-list dn42 seq 3001 permit 172.31.0.0/16 le 32
|
||||
ip prefix-list dn42 seq 4001 permit 172.20.0.0/14 le 32
|
||||
ip prefix-list dn42 seq 4002 permit 10.0.0.0/8 le 32
|
||||
ip prefix-list dn42 seq 9999 deny 0.0.0.0/0 le 32
|
||||
|
||||
!
|
||||
ipv6 prefix-list dn42 seq 1001 permit fd00::/8 ge 44 le 64
|
||||
ipv6 prefix-list dn42 seq 9999 deny ::/0 le 128
|
||||
!
|
||||
route-map RM_SET_SRC permit 10
|
||||
set src 172.21.74.129
|
||||
exit
|
||||
!
|
||||
route-map ONLY_OWN permit 10
|
||||
match ip address prefix-list allow-only-own
|
||||
exit
|
||||
!
|
||||
route-map ONLY_OWN permit 10
|
||||
match ipv6 address prefix-list allow-only-own
|
||||
exit
|
||||
!
|
||||
route-map ONLY_DN42 permit 10
|
||||
match ip address prefix-list dn42
|
||||
exit
|
||||
!
|
||||
route-map ONLY_DN42 permit 20
|
||||
match ipv6 address prefix-list dn42
|
||||
exit
|
||||
!
|
||||
ip protocol babel route-map ONLY_DN42
|
||||
ipv6 protocol babel route-map ONLY_DN42
|
||||
!
|
|
@ -0,0 +1,2 @@
|
|||
localhost
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- hosts: localhost
|
||||
remote_user: root
|
||||
roles:
|
||||
- nll-dn42
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
# vars file for nll-dn42
|
||||
internal_wg: []
|
||||
current_listen_port: 65001
|
|
@ -0,0 +1,6 @@
|
|||
#!/usr/bin/python3
|
||||
|
||||
from yaml import load,dump
|
||||
|
||||
with open('./inventory/nll-intern'):
|
||||
|
Loading…
Reference in New Issue