neulandlabor
/
nll-ansible
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add dn42 foo.

This commit is contained in:
lagertonne 2022-01-06 18:23:45 +01:00
parent fa6e30eacb
commit 93989e6ab5
85 changed files with 2313 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
inventory/group_vars/dn42-nameserver Normal file
View File

@ -0,0 +1,18 @@
mysql_root_password: usheeCut6ahjohhiPh4aichah5aiyaex
mysql_root_password_update: true
mysql_databases:
- name: pdns
mysql_users:
- name: repl_user
password: awe9Ier2aisoh8keez5uonge
priv: "*.*:REPLICATION CLIENT"
host: 172.21.74.134
mysql_packages:
- mariadb-client
- mariadb-server
- python3-mysqldb
mysql_replication_user:
name: repl_user
password: awe9Ier2aisoh8keez5uonge
host: 172.21.74.134
mysql_replication_master: "172.21.74.134"

1
inventory/group_vars/dn42-router Normal file
View File

@ -0,0 +1 @@
node_exporter_version: 1.3.1

6
inventory/host_vars/dn42-arn01 Normal file
View File

@ -0,0 +1,6 @@
dn42:
internal_ipv4: 172.21.74.133
internal_ipv6: fe80::3767:1
dn42_ipv6: fd68:a3ea:7c9a:0100::1/56
main_if: enp1s0
peers: []

51
inventory/host_vars/dn42-gw-fra Normal file
View File

@ -0,0 +1,51 @@
dn42:
internal_ipv4: 172.21.74.129
internal_ipv6: fe80::3767:2
dn42_ipv6: fd68:a3ea:7c9a:0400::1/56
main_if: eth0
peers:
- name: kioubit
own_privkey: EFBQUWCP1i6OzOUKIuCVt3AfmHP3qIaOBx5TLDh4OEw=
remote_pubkey: B1xSG/XTJRLd+GrWDsB06BqnIq8Xud93YVh/LYYYtUY=
endpoint: de2.g-load.eu:23767
remote_as: 4242423914
peering_ipv4:
peering_ipv6:
own_ipv4: 172.21.74.129
remote_ipv4: 172.20.53.97
own_ipv6: fd68:a3ea:7c9a::1
remote_ipv6: fdfc:e23f:fb45:3234::1
- name: tech9
own_privkey: GJx2n55txSrwooipEh6DHOq0z4xUn7eQB1ALIJSZM1c=
remote_pubkey: MD1EdVe9a0yycUdXCH3A61s3HhlDn17m5d07e4H33S0=
endpoint: de-fra02.dn42.tech9.io:55024
listen_port: 21588
remote_as: 4242421588
peering_ipv4:
peering_ipv6:
own_ipv4: 172.21.74.129
remote_ipv4: 172.20.16.141
own_ipv6: fe80::100
remote_ipv6: fe80::1588
- name: yura42
own_privkey: 6D6PMxb6q8gHY3P5Cme0LJCvLz6sxsAmeiGbFd9HwFg=
listen_port: 51834
remote_pubkey: qIhJZf6mTruzO4GTCUrJnLqs9ID4TI1GctRhaRilBkg=
endpoint: fra.dneo.moeternet.com:23767
remote_as: 4242422464
peering_ipv4:
peering_ipv6:
own_ipv4: 172.21.74.129
remote_ipv4: 172.20.191.193
own_ipv6: fd42:1145:1419:0:d2d:4242:3767:2
remote_ipv6: fd42:1145:1419:0:d2d:4242:3767:1
- name: lagertonne
no_wireguard:
own_ipv4: 172.21.74.129/32
remote_as: 4242423765
remote_ipv4: 172.21.80.97
own_ipv6: fe80::3765
remote_ipv6: fe80::3767

8
inventory/host_vars/dn42-ns1 Normal file
View File

@ -0,0 +1,8 @@
dn42:
internal_ipv4: 172.21.74.134/32
internal_ipv6: fe80::3767:4
dn42_ipv6: fd68:a3ea:7c9a:aa01::1/64
peers: []
main_if: eth0
mysql_server_id: "1"
mysql_replication_role: "master"

8
inventory/host_vars/dn42-ns2 Normal file
View File

@ -0,0 +1,8 @@
dn42:
internal_ipv4: 172.21.74.135/32
internal_ipv6: fe80::3767:5
dn42_ipv6: fd68:a3ea:7c9a:aa02::1/64
peers: []
main_if: eth0
mysql_server_id: "2"
mysql_replication_role: "slave"

26
inventory/host_vars/dn42-nue01 Normal file
View File

@ -0,0 +1,26 @@
dn42:
internal_ipv4: 172.21.74.130
internal_ipv6: fe80::3767:3
dn42_ipv6: fd68:a3ea:7c9a:500::1/56
main_if: eth0
peers:
- name: tech9
own_privkey: cNlNF6vgKI5hu6fzeW6mYbw5HU0OwTY6Ejnum1THIVI=
remote_pubkey: MD1EdVe9a0yycUdXCH3A61s3HhlDn17m5d07e4H33S0=
endpoint: de-fra02.dn42.tech9.io:58609
listen_port: 51588
remote_as: 4242421588
own_ipv4: 172.21.74.130
remote_ipv4: 172.20.16.141
own_ipv6: fe80::100/64
remote_ipv6: fe80::1588/64
- name: kioubit
own_privkey: aAxJTcXJBvDyxcQEcaw0+uk9LAtXaew1ZNat4m6YHHo=
remote_pubkey: sLbzTRr2gfLFb24NPzDOpy8j09Y6zI+a7NkeVMdVSR8=
endpoint: fr1.g-load.eu:23767
listen_port: 51589
remote_as: 4242423914
own_ipv4: 172.21.74.130
remote_ipv4: 172.20.53.102
own_ipv6: fd68:a3ea:7c9a::2
remote_ipv6: fdfc:e23f:fb45:3234::8

14
inventory/nll-intern
View File

@ -12,7 +12,19 @@ all:
dn42-router:
hosts:
dn42-gw-fra:
ansible_host: 95.156.226.95
ansible_host: dn42-gw-fra.neulandlabor.de
dn42-nue01:
ansible_host: dn42-nue01.nll.re
dn42-arn01:
ansible_host: dn42-arn01.nll.re
dn42-ns1:
ansible_host: dn42-ns1.nll.re
dn42-ns2:
ansible_host: dn42-ns2.nll.re
#dn42-nameserver:
# hosts:
# dn42-ns1:
# dn42-ns2:
gateways:
hosts:
gateway01:

5
playbooks/files/container-storage.conf Normal file
View File

@ -0,0 +1,5 @@
[storage]
driver = "overlay"
[storage.options]
mount_program = "/usr/bin/fuse-overlayfs"

25
playbooks/hosts/dn42-docker-nodes.yml Normal file
View File

@ -0,0 +1,25 @@
---
- hosts: "dn42-dock*"
tasks:
- name: Install needed packages
ansible.builtin.apt:
pkg:
- podman
- slirp4netns
- fuse-overlayfs
- python3-pip
- lxc
- libpam-cgfs
- bridge-utils
- uidmap
- libvirt0
- name: Install podman-compose
ansible.builtin.pip:
name: podman-compose
- name: Create storage.conf
ansible.builtin.copy:
dest: /etc/containers/storage.conf
src: ../files/container-storage.conf

4
playbooks/hosts/dn42-gw.yml Normal file
View File

@ -0,0 +1,4 @@
---
- hosts: dn42-router
roles:
- role: nll-dn42

2
playbooks/risky_upgrades.yml
View File

@ -1,5 +1,5 @@
---
- hosts: internal
- hosts: proxmox_pool_neuland
tasks:
- name: Update all Debian systems

3
roles/geerlingguy.mysql/.ansible-lint Normal file
View File

@ -0,0 +1,3 @@
skip_list:
- 'yaml'
- 'role-name'

4
roles/geerlingguy.mysql/.github/FUNDING.yml vendored Normal file
View File

@ -0,0 +1,4 @@
# These are supported funding model platforms
---
github: geerlingguy
patreon: geerlingguy

56
roles/geerlingguy.mysql/.github/stale.yml vendored Normal file
View File

@ -0,0 +1,56 @@
# Configuration for probot-stale - https://github.com/probot/stale
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 90
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 30
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- pinned
- security
- planned
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
pulls:
markComment: |-
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
unmarkComment: >-
This pull request is no longer marked for closure.
closeComment: >-
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
issues:
markComment: |-
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
unmarkComment: >-
This issue is no longer marked for closure.
closeComment: >-
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

77
roles/geerlingguy.mysql/.github/workflows/ci.yml vendored Normal file
View File

@ -0,0 +1,77 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "0 1 * * 3"
defaults:
run:
working-directory: 'geerlingguy.mysql'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.mysql'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint
- name: Lint code.
run: |
yamllint .
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
distro:
- centos8
- centos7
- ubuntu1804
- debian10
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.mysql'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule[docker] docker
# See: https://github.com/geerlingguy/ansible-role-mysql/issues/422
- name: Disable AppArmor on Debian.
run: |
set -x
sudo apt-get install apparmor-profiles
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld
if: ${{ startsWith(matrix.distro, 'debian') }}
- name: Run Molecule tests.
run: molecule test
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}

38
roles/geerlingguy.mysql/.github/workflows/release.yml vendored Normal file
View File

@ -0,0 +1,38 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.mysql'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.mysql'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-base
- name: Trigger a new import on Galaxy.
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

4
roles/geerlingguy.mysql/.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
*.retry
*/__pycache__
*.pyc
.cache

10
roles/geerlingguy.mysql/.yamllint Normal file
View File

@ -0,0 +1,10 @@
---
extends: default
rules:
line-length:
max: 160
level: warning
ignore: |
.github/stale.yml

20
roles/geerlingguy.mysql/LICENSE Normal file
View File

@ -0,0 +1,20 @@
The MIT License (MIT)
Copyright (c) 2017 Jeff Geerling
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

199
roles/geerlingguy.mysql/README.md Normal file
View File

@ -0,0 +1,199 @@
# Ansible Role: MySQL
[![CI](https://github.com/geerlingguy/ansible-role-mysql/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-mysql/actions?query=workflow%3ACI)
Installs and configures MySQL or MariaDB server on RHEL/CentOS or Debian/Ubuntu servers.
## Requirements
No special requirements; note that this role requires root access, so either run it in a playbook with a global `become: yes`, or invoke the role in your playbook like:
- hosts: database
roles:
- role: geerlingguy.mysql
become: yes
## Role Variables
Available variables are listed below, along with default values (see `defaults/main.yml`):
mysql_user_home: /root
mysql_user_name: root
mysql_user_password: root
The home directory inside which Python MySQL settings will be stored, which Ansible will use when connecting to MySQL. This should be the home directory of the user which runs this Ansible role. The `mysql_user_name` and `mysql_user_password` can be set if you are running this role under a non-root user account and want to set a non-root user.
mysql_root_home: /root
mysql_root_username: root
mysql_root_password: root
The MySQL root user account details.
mysql_root_password_update: false
Whether to force update the MySQL root user's password. By default, this role will only change the root user's password when MySQL is first configured. You can force an update by setting this to `yes`.
> Note: If you get an error like `ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)` after a failed or interrupted playbook run, this usually means the root password wasn't originally updated to begin with. Try either removing the `.my.cnf` file inside the configured `mysql_user_home` or updating it and setting `password=''` (the insecure default password). Run the playbook again, with `mysql_root_password_update` set to `yes`, and the setup should complete.
> Note: If you get an error like `ERROR 1698 (28000): Access denied for user 'root'@'localhost' (using password: YES)` when trying to log in from the CLI you might need to run as root or sudoer.
mysql_enabled_on_startup: true
Whether MySQL should be enabled on startup.
mysql_config_file: *default value depends on OS*
mysql_config_include_dir: *default value depends on OS*
The main my.cnf configuration file and include directory.
overwrite_global_mycnf: true
Whether the global my.cnf should be overwritten each time this role is run. Setting this to `no` tells Ansible to only create the `my.cnf` file if it doesn't exist. This should be left at its default value (`yes`) if you'd like to use this role's variables to configure MySQL.
mysql_config_include_files: []
A list of files that should override the default global my.cnf. Each item in the array requires a "src" parameter which is a path to a file. An optional "force" parameter can force the file to be updated each time ansible runs.
mysql_databases: []
The MySQL databases to create. A database has the values `name`, `encoding` (defaults to `utf8`), `collation` (defaults to `utf8_general_ci`) and `replicate` (defaults to `1`, only used if replication is configured). The formats of these are the same as in the `mysql_db` module.
You can also delete a database (or ensure it's not on the server) by setting `state` to `absent` (defaults to `present`).
mysql_users: []
The MySQL users and their privileges. A user has the values:
- `name`
- `host` (defaults to `localhost`)
- `password` (can be plaintext or encrypted—if encrypted, set `encrypted: yes`)
- `encrypted` (defaults to `no`)
- `priv` (defaults to `*.*:USAGE`)
- `append_privs` (defaults to `no`)
- `state` (defaults to `present`)
The formats of these are the same as in the `mysql_user` module.
mysql_packages:
- mysql
- mysql-server
(OS-specific, RedHat/CentOS defaults listed here) Packages to be installed. In some situations, you may need to add additional packages, like `mysql-devel`.
mysql_enablerepo: ""
(RedHat/CentOS only) If you have enabled any additional repositories (might I suggest geerlingguy.repo-epel or geerlingguy.repo-remi), those repositories can be listed under this variable (e.g. `remi,epel`). This can be handy, as an example, if you want to install later versions of MySQL.
mysql_python_package_debian: python3-mysqldb
(Ubuntu/Debian only) If you need to explicitly override the MySQL Python package, you can set it here. Set this to `python-mysqldb` if using older distributions running Python 2.
mysql_port: "3306"
mysql_bind_address: '0.0.0.0'
mysql_datadir: /var/lib/mysql
mysql_socket: *default value depends on OS*
mysql_pid_file: *default value depends on OS*
Default MySQL connection configuration.
mysql_log_file_group: mysql *adm on Debian*
mysql_log: ""
mysql_log_error: *default value depends on OS*
mysql_syslog_tag: *default value depends on OS*
MySQL logging configuration. Setting `mysql_log` (the general query log) or `mysql_log_error` to `syslog` will make MySQL log to syslog using the `mysql_syslog_tag`.
mysql_slow_query_log_enabled: false
mysql_slow_query_log_file: *default value depends on OS*
mysql_slow_query_time: 2
Slow query log settings. Note that the log file will be created by this role, but if you're running on a server with SELinux or AppArmor, you may need to add this path to the allowed paths for MySQL, or disable the mysql profile. For example, on Debian/Ubuntu, you can run `sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/usr.sbin.mysqld && sudo service apparmor restart`.
mysql_key_buffer_size: "256M"
mysql_max_allowed_packet: "64M"
mysql_table_open_cache: "256"
[...]
The rest of the settings in `defaults/main.yml` control MySQL's memory usage and some other common settings. The default values are tuned for a server where MySQL can consume ~512 MB RAM, so you should consider adjusting them to suit your particular server better.
mysql_server_id: "1"
mysql_max_binlog_size: "100M"
mysql_binlog_format: "ROW"
mysql_expire_logs_days: "10"
mysql_replication_role: ''
mysql_replication_master: ''
mysql_replication_user: {}
Replication settings. Set `mysql_server_id` and `mysql_replication_role` by server (e.g. the master would be ID `1`, with the `mysql_replication_role` of `master`, and the slave would be ID `2`, with the `mysql_replication_role` of `slave`). The `mysql_replication_user` uses the same keys as individual list items in `mysql_users`, and is created on master servers, and used to replicate on all the slaves.
`mysql_replication_master` needs to resolve to an IP or a hostname which is accessable to the Slaves (this could be a `/etc/hosts` injection or some other means), otherwise the slaves cannot communicate to the master.
### Later versions of MySQL on CentOS 7
If you want to install MySQL from the official repository instead of installing the system default MariaDB equivalents, you can add the following `pre_tasks` task in your playbook:
```yaml
pre_tasks:
- name: Install the MySQL repo.
yum:
name: http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm
state: present
when: ansible_os_family == "RedHat"
- name: Override variables for MySQL (RedHat).
set_fact:
mysql_daemon: mysqld
mysql_packages: ['mysql-server']
mysql_log_error: /var/log/mysqld.err
mysql_syslog_tag: mysqld
mysql_pid_file: /var/run/mysqld/mysqld.pid
mysql_socket: /var/lib/mysql/mysql.sock
when: ansible_os_family == "RedHat"
```
### MariaDB usage
This role works with either MySQL or a compatible version of MariaDB. On RHEL/CentOS 7+, the mariadb database engine was substituted as the default MySQL replacement package. No modifications are necessary though all of the variables still reference 'mysql' instead of mariadb.
#### Ubuntu 14.04 and 16.04 MariaDB configuration
On Ubuntu, the package names are named differently, so the `mysql_package` variable needs to be altered. Set the following variables (at a minimum):
mysql_packages:
- mariadb-client
- mariadb-server
- python-mysqldb
## Dependencies
None.
## Example Playbook
- hosts: db-servers
become: yes
vars_files:
- vars/main.yml
roles:
- { role: geerlingguy.mysql }
*Inside `vars/main.yml`*:
mysql_root_password: super-secure-password
mysql_databases:
- name: example_db
encoding: latin1
collation: latin1_general_ci
mysql_users:
- name: example_user
host: "%"
password: similarly-secure-password
priv: "example_db.*:ALL"
## License
MIT / BSD
## Author Information
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).

130
roles/geerlingguy.mysql/defaults/main.yml Normal file
View File

@ -0,0 +1,130 @@
---
# Set this to the user ansible is logging in as - should have root
# or sudo access
mysql_user_home: /root
mysql_user_name: root
mysql_user_password: root
# The default root user installed by mysql - almost always root
mysql_root_home: /root
mysql_root_username: root
mysql_root_password: root
# Set this to `true` to forcibly update the root password.
mysql_root_password_update: false
mysql_user_password_update: false
mysql_enabled_on_startup: true
# Whether my.cnf should be updated on every run.
overwrite_global_mycnf: true
# The following variables have a default value depending on operating system.
# mysql_config_file: /etc/my.cnf
# mysql_config_include_dir: /etc/my.cnf.d
# Pass in a comma-separated list of repos to use (e.g. "remi,epel"). Used only
# for RedHat systems (and derivatives).
mysql_enablerepo: ""
# Define a custom list of packages to install; if none provided, the default
# package list from vars/[OS-family].yml will be used.
# mysql_packages:
# - mysql
# - mysql-server
# - MySQL-python
mysql_python_package_debian: python3-mysqldb
# MySQL connection settings.
mysql_port: "3306"
mysql_bind_address: '0.0.0.0'
mysql_skip_name_resolve: false
mysql_datadir: /var/lib/mysql
mysql_sql_mode: ~
# The following variables have a default value depending on operating system.
# mysql_pid_file: /var/run/mysqld/mysqld.pid
# mysql_socket: /var/lib/mysql/mysql.sock
# Log file settings.
mysql_log_file_group: mysql
# Slow query log settings.
mysql_slow_query_log_enabled: false
mysql_slow_query_time: "2"
# The following variable has a default value depending on operating system.
# mysql_slow_query_log_file: /var/log/mysql-slow.log
# Memory settings (default values optimized ~512MB RAM).
mysql_key_buffer_size: "256M"
mysql_max_allowed_packet: "64M"
mysql_table_open_cache: "256"
mysql_sort_buffer_size: "1M"
mysql_read_buffer_size: "1M"
mysql_read_rnd_buffer_size: "4M"
mysql_myisam_sort_buffer_size: "64M"
mysql_thread_cache_size: "8"
mysql_query_cache_type: "0"
mysql_query_cache_size: "16M"
mysql_query_cache_limit: "1M"
mysql_max_connections: "151"
mysql_tmp_table_size: "16M"
mysql_max_heap_table_size: "16M"
mysql_group_concat_max_len: "1024"
mysql_join_buffer_size: "262144"
# Other settings.
mysql_lower_case_table_names: "0"
mysql_wait_timeout: "28800"
mysql_event_scheduler_state: "OFF"
# InnoDB settings.
mysql_innodb_file_per_table: "1"
# Set .._buffer_pool_size up to 80% of RAM but beware of setting too high.
mysql_innodb_buffer_pool_size: "256M"
# Set .._log_file_size to 25% of buffer pool size.
mysql_innodb_log_file_size: "64M"
mysql_innodb_log_buffer_size: "8M"
mysql_innodb_flush_log_at_trx_commit: "1"
mysql_innodb_lock_wait_timeout: "50"
# These settings require MySQL > 5.5.
mysql_innodb_large_prefix: "1"
mysql_innodb_file_format: "barracuda"
# mysqldump settings.
mysql_mysqldump_max_allowed_packet: "64M"
# Logging settings.
mysql_log: ""
# The following variables have a default value depending on operating system.
# mysql_log_error: /var/log/mysql/mysql.err
# mysql_syslog_tag: mysql
mysql_config_include_files: []
# - src: path/relative/to/playbook/file.cnf
# - { src: path/relative/to/playbook/anotherfile.cnf, force: yes }
# Databases.
mysql_databases: []
# - name: example
# collation: utf8_general_ci
# encoding: utf8
# replicate: 1
# Users.
mysql_users: []
# - name: example
# host: 127.0.0.1
# password: secret
# priv: *.*:USAGE
# Replication settings (replication is only enabled if master/user have values).
mysql_server_id: "1"
mysql_max_binlog_size: "100M"
mysql_binlog_format: "ROW"
mysql_expire_logs_days: "10"
mysql_replication_role: ''
mysql_replication_master: ''
# Same keys as `mysql_users` above.
mysql_replication_user: []

3
roles/geerlingguy.mysql/handlers/main.yml Normal file
View File

@ -0,0 +1,3 @@
---
- name: restart mysql
service: "name={{ mysql_daemon }} state=restarted sleep=5"

2
roles/geerlingguy.mysql/meta/.galaxy_install_info Normal file
View File

@ -0,0 +1,2 @@
install_date: 'Mi 29 Dez 2021 22:08:50 '
version: 3.3.2

30
roles/geerlingguy.mysql/meta/main.yml Normal file
View File

@ -0,0 +1,30 @@
---
dependencies: []
galaxy_info:
role_name: mysql
author: geerlingguy
description: MySQL server for RHEL/CentOS and Debian/Ubuntu.
company: "Midwestern Mac, LLC"
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 7
- 8
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: Archlinux
versions:
- all
galaxy_tags:
- database
- mysql
- mariadb
- db
- sql

16
roles/geerlingguy.mysql/molecule/default/converge.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: Converge
hosts: all
become: true
roles:
- role: geerlingguy.mysql
post_tasks:
- name: Make sure we can connect to MySQL via Unix socket.
command: "mysql -u root -proot -e 'show databases;'"
changed_when: false
- name: Make sure we can connect to MySQL via TCP.
command: "mysql -u root -proot -h 127.0.0.1 -e 'show databases;'"
changed_when: false

17
roles/geerlingguy.mysql/molecule/default/molecule.yml Normal file
View File

@ -0,0 +1,17 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

87
roles/geerlingguy.mysql/tasks/configure.yml Normal file
View File

@ -0,0 +1,87 @@
---
- name: Get MySQL version.
command: 'mysql --version'
register: mysql_cli_version
changed_when: false
check_mode: false
- name: Copy my.cnf global MySQL configuration.
template:
src: my.cnf.j2
dest: "{{ mysql_config_file }}"
owner: root
group: root
mode: 0644
force: "{{ overwrite_global_mycnf }}"
notify: restart mysql
- name: Verify mysql include directory exists.
file:
path: "{{ mysql_config_include_dir }}"
state: directory
owner: root
group: root
mode: 0755
when: mysql_config_include_files | length
- name: Copy my.cnf override files into include directory.
template:
src: "{{ item.src }}"
dest: "{{ mysql_config_include_dir }}/{{ item.src | basename }}"
owner: root
group: root
mode: 0644
force: "{{ item.force | default(False) }}"
with_items: "{{ mysql_config_include_files }}"
notify: restart mysql
- name: Create slow query log file (if configured).
command: "touch {{ mysql_slow_query_log_file }}"
args:
creates: "{{ mysql_slow_query_log_file }}"
warn: false
when: mysql_slow_query_log_enabled
- name: Create datadir if it does not exist
file:
path: "{{ mysql_datadir }}"
state: directory
owner: mysql
group: mysql
mode: 0755
setype: mysqld_db_t
- name: Set ownership on slow query log file (if configured).
file:
path: "{{ mysql_slow_query_log_file }}"
state: file
owner: mysql
group: "{{ mysql_log_file_group }}"
mode: 0640
when: mysql_slow_query_log_enabled
- name: Create error log file (if configured).
command: "touch {{ mysql_log_error }}"
args:
creates: "{{ mysql_log_error }}"
warn: false
when:
- mysql_log | default(true)
- mysql_log_error | default(false)
tags: ['skip_ansible_galaxy']
- name: Set ownership on error log file (if configured).
file:
path: "{{ mysql_log_error }}"
state: file
owner: mysql
group: "{{ mysql_log_file_group }}"
mode: 0640
when:
- mysql_log | default(true)
- mysql_log_error | default(false)
tags: ['skip_ansible_galaxy']
- name: Ensure MySQL is started and enabled on boot.
service: "name={{ mysql_daemon }} state=started enabled={{ mysql_enabled_on_startup }}"
register: mysql_service_configuration

8
roles/geerlingguy.mysql/tasks/databases.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Ensure MySQL databases are present.
mysql_db:
name: "{{ item.name }}"
collation: "{{ item.collation | default('utf8_general_ci') }}"
encoding: "{{ item.encoding | default('utf8') }}"
state: "{{ item.state | default('present') }}"
with_items: "{{ mysql_databases }}"

26
roles/geerlingguy.mysql/tasks/main.yml Normal file
View File

@ -0,0 +1,26 @@
---
# Variable configuration.
- include_tasks: variables.yml
# Setup/install tasks.
- include_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- include_tasks: setup-Debian.yml
when: ansible_os_family == 'Debian'
- include_tasks: setup-Archlinux.yml
when: ansible_os_family == 'Archlinux'
- name: Check if MySQL packages were installed.
set_fact:
mysql_install_packages: "{{ (rh_mysql_install_packages is defined and rh_mysql_install_packages.changed)
or (deb_mysql_install_packages is defined and deb_mysql_install_packages.changed)
or (arch_mysql_install_packages is defined and arch_mysql_install_packages.changed) }}"
# Configure MySQL.
- include_tasks: configure.yml
- include_tasks: secure-installation.yml
- include_tasks: databases.yml
- include_tasks: users.yml
- include_tasks: replication.yml

58
roles/geerlingguy.mysql/tasks/replication.yml Normal file
View File

@ -0,0 +1,58 @@
---
- name: Ensure replication user exists on master.
mysql_user:
name: "{{ mysql_replication_user.name }}"
host: "{{ mysql_replication_user.host | default('%') }}"
password: "{{ mysql_replication_user.password }}"
priv: "{{ mysql_replication_user.priv | default('*.*:REPLICATION SLAVE,REPLICATION CLIENT') }}"
state: present
when:
- mysql_replication_role == 'master'
- mysql_replication_user.name is defined
- (mysql_replication_master | length) > 0
tags: ['skip_ansible_galaxy']
- name: Check slave replication status.
mysql_replication:
mode: getslave
login_user: "{{ mysql_replication_user.name }}"
login_password: "{{ mysql_replication_user.password }}"
ignore_errors: true
register: slave
when:
- mysql_replication_role == 'slave'
- (mysql_replication_master | length) > 0
tags: ['skip_ansible_galaxy']
- name: Check master replication status.
mysql_replication: mode=getmaster
delegate_to: "{{ mysql_replication_master }}"
register: master
when:
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Slave is not defined and slave is failed)
- mysql_replication_role == 'slave'
- (mysql_replication_master | length) > 0
tags: ['skip_ansible_galaxy']
- name: Configure replication on the slave.
mysql_replication:
mode: changemaster
master_host: "{{ mysql_replication_master }}"
master_user: "{{ mysql_replication_user.name }}"
master_password: "{{ mysql_replication_user.password }}"
master_log_file: "{{ master.File }}"
master_log_pos: "{{ master.Position }}"
ignore_errors: true
when:
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Slave is not defined and slave is failed)
- mysql_replication_role == 'slave'
- mysql_replication_user.name is defined
- (mysql_replication_master | length) > 0
- name: Start replication.
mysql_replication: mode=startslave
when:
- (slave.Is_Slave is defined and not slave.Is_Slave) or (slave.Is_Slave is not defined and slave is failed)
- mysql_replication_role == 'slave'
- (mysql_replication_master | length) > 0
tags: ['skip_ansible_galaxy']

86
roles/geerlingguy.mysql/tasks/secure-installation.yml Normal file
View File

@ -0,0 +1,86 @@
---
- name: Ensure default user is present.
mysql_user:
name: "{{ mysql_user_name }}"
host: 'localhost'
password: "{{ mysql_user_password }}"
priv: '*.*:ALL,GRANT'
state: present
when: mysql_user_name != mysql_root_username
# Has to be after the password assignment, for idempotency.
- name: Copy user-my.cnf file with password credentials.
template:
src: "user-my.cnf.j2"
dest: "{{ mysql_user_home }}/.my.cnf"
owner: "{{ mysql_user_name }}"
mode: 0600
when: >
mysql_user_name != mysql_root_username
and (mysql_install_packages | bool or mysql_user_password_update)
- name: Disallow root login remotely
command: 'mysql -NBe "{{ item }}"'
with_items:
- DELETE FROM mysql.user WHERE User='{{ mysql_root_username }}' AND Host NOT IN ('localhost', '127.0.0.1', '::1')
changed_when: false
- name: Get list of hosts for the root user.
command: mysql -NBe
"SELECT Host
FROM mysql.user
WHERE User = '{{ mysql_root_username }}'
ORDER BY (Host='localhost') ASC"
register: mysql_root_hosts
changed_when: false
check_mode: false
when: mysql_install_packages | bool or mysql_root_password_update
# Note: We do not use mysql_user for this operation, as it doesn't always update
# the root password correctly. See: https://goo.gl/MSOejW
# Set root password for MySQL >= 5.7.x.
- name: Update MySQL root password for localhost root account (5.7.x).
shell: >
mysql -u root -NBe
'ALTER USER "{{ mysql_root_username }}"@"{{ item }}"
IDENTIFIED WITH mysql_native_password BY "{{ mysql_root_password }}"; FLUSH PRIVILEGES;'
with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
when: >
((mysql_install_packages | bool) or mysql_root_password_update)
and ('5.7.' in mysql_cli_version.stdout or '8.0.' in mysql_cli_version.stdout)
# Set root password for MySQL < 5.7.x.
- name: Update MySQL root password for localhost root account (< 5.7.x).
shell: >
mysql -NBe
'SET PASSWORD FOR "{{ mysql_root_username }}"@"{{ item }}" = PASSWORD("{{ mysql_root_password }}"); FLUSH PRIVILEGES;'
with_items: "{{ mysql_root_hosts.stdout_lines|default([]) }}"
when: >
((mysql_install_packages | bool) or mysql_root_password_update)
and ('5.7.' not in mysql_cli_version.stdout and '8.0.' not in mysql_cli_version.stdout)
# Has to be after the root password assignment, for idempotency.
- name: Copy .my.cnf file with root password credentials.
template:
src: "root-my.cnf.j2"
dest: "{{ mysql_root_home }}/.my.cnf"
owner: root
group: root
mode: 0600
when: mysql_install_packages | bool or mysql_root_password_update
- name: Get list of hosts for the anonymous user.
command: mysql -NBe 'SELECT Host FROM mysql.user WHERE User = ""'
register: mysql_anonymous_hosts
changed_when: false
check_mode: false
- name: Remove anonymous MySQL users.
mysql_user:
name: ""
host: "{{ item }}"
state: absent
with_items: "{{ mysql_anonymous_hosts.stdout_lines|default([]) }}"
- name: Remove MySQL test database.
mysql_db: "name='test' state=absent"

12
roles/geerlingguy.mysql/tasks/setup-Archlinux.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Ensure MySQL Python libraries are installed.
pacman: "name=mysql-python state=present"
- name: Ensure MySQL packages are installed.
pacman: "name={{ mysql_packages }} state=present"
register: arch_mysql_install_packages
- name: Run mysql_install_db if MySQL packages were changed.
command: mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
when: arch_mysql_install_packages.changed
tags: ['skip_ansible_lint']

32
roles/geerlingguy.mysql/tasks/setup-Debian.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: Check if MySQL is already installed.
stat: path=/etc/init.d/mysql
register: mysql_installed
- name: Update apt cache if MySQL is not yet installed.
apt: update_cache=yes
when: not mysql_installed.stat.exists
- name: Ensure MySQL Python libraries are installed.
apt:
name: "{{ mysql_python_package_debian }}"
state: present
- name: Ensure MySQL packages are installed.
apt:
name: "{{ mysql_packages }}"
state: present
register: deb_mysql_install_packages
# Because Ubuntu starts MySQL as part of the install process, we need to stop
# mysql and remove the logfiles in case the user set a custom log file size.
- name: Ensure MySQL is stopped after initial install.
service: "name={{ mysql_daemon }} state=stopped"
when: not mysql_installed.stat.exists
- name: Delete innodb log files created by apt package after initial install.
file: path={{ mysql_datadir }}/{{ item }} state=absent
with_items:
- ib_logfile0
- ib_logfile1
when: not mysql_installed.stat.exists

7
roles/geerlingguy.mysql/tasks/setup-RedHat.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Ensure MySQL packages are installed.
yum:
name: "{{ mysql_packages }}"
state: present
enablerepo: "{{ mysql_enablerepo | default(omit, true) }}"
register: rh_mysql_install_packages

12
roles/geerlingguy.mysql/tasks/users.yml Normal file
View File

@ -0,0 +1,12 @@
---
- name: Ensure MySQL users are present.
mysql_user:
name: "{{ item.name }}"
host: "{{ item.host | default('localhost') }}"
password: "{{ item.password }}"
priv: "{{ item.priv | default('*.*:USAGE') }}"
state: "{{ item.state | default('present') }}"
append_privs: "{{ item.append_privs | default('no') }}"
encrypted: "{{ item.encrypted | default('no') }}"
with_items: "{{ mysql_users }}"
no_log: true

59
roles/geerlingguy.mysql/tasks/variables.yml Normal file
View File

@ -0,0 +1,59 @@
---
# Variable configuration.
- name: Include OS-specific variables.
include_vars: "{{ item }}"
with_first_found:
- files:
- "vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
- "vars/{{ ansible_os_family }}.yml"
skip: true
- name: Define mysql_packages.
set_fact:
mysql_packages: "{{ __mysql_packages | list }}"
when: mysql_packages is not defined
- name: Define mysql_daemon.
set_fact:
mysql_daemon: "{{ __mysql_daemon }}"
when: mysql_daemon is not defined
- name: Define mysql_slow_query_log_file.
set_fact:
mysql_slow_query_log_file: "{{ __mysql_slow_query_log_file }}"
when: mysql_slow_query_log_file is not defined
- name: Define mysql_log_error.
set_fact:
mysql_log_error: "{{ __mysql_log_error }}"
when: mysql_log_error is not defined
- name: Define mysql_syslog_tag.
set_fact:
mysql_syslog_tag: "{{ __mysql_syslog_tag }}"
when: mysql_syslog_tag is not defined
- name: Define mysql_pid_file.
set_fact:
mysql_pid_file: "{{ __mysql_pid_file }}"
when: mysql_pid_file is not defined
- name: Define mysql_config_file.
set_fact:
mysql_config_file: "{{ __mysql_config_file }}"
when: mysql_config_file is not defined
- name: Define mysql_config_include_dir.
set_fact:
mysql_config_include_dir: "{{ __mysql_config_include_dir }}"
when: mysql_config_include_dir is not defined
- name: Define mysql_socket.
set_fact:
mysql_socket: "{{ __mysql_socket }}"
when: mysql_socket is not defined
- name: Define mysql_supports_innodb_large_prefix.
set_fact:
mysql_supports_innodb_large_prefix: "{{ __mysql_supports_innodb_large_prefix }}"
when: mysql_supports_innodb_large_prefix is not defined

124
roles/geerlingguy.mysql/templates/my.cnf.j2 Normal file
View File

@ -0,0 +1,124 @@
{{ ansible_managed | comment }}
[client]
#password = your_password
port = {{ mysql_port }}
socket = {{ mysql_socket }}
[mysqld]
port = {{ mysql_port }}
bind-address = {{ mysql_bind_address }}
datadir = {{ mysql_datadir }}
socket = {{ mysql_socket }}
pid-file = {{ mysql_pid_file }}
{% if mysql_skip_name_resolve %}
skip-name-resolve
{% endif %}
{% if mysql_sql_mode is not none %}
sql_mode = {{ mysql_sql_mode }}
{% endif %}
# Logging configuration.
{% if mysql_log_error == 'syslog' or mysql_log == 'syslog' %}
syslog
syslog-tag = {{ mysql_syslog_tag }}
{% else %}
{% if mysql_log %}
log = {{ mysql_log }}
{% endif %}
log-error = {{ mysql_log_error }}
{% endif %}
{% if mysql_slow_query_log_enabled %}
# Slow query log configuration.
slow_query_log = 1
slow_query_log_file = {{ mysql_slow_query_log_file }}
long_query_time = {{ mysql_slow_query_time }}
{% endif %}
{% if mysql_replication_master %}
# Replication
server-id = {{ mysql_server_id }}
{% if mysql_replication_role == 'master' %}
log_bin = mysql-bin
log-bin-index = mysql-bin.index
expire_logs_days = {{ mysql_expire_logs_days }}
max_binlog_size = {{ mysql_max_binlog_size }}
binlog_format = {{mysql_binlog_format}}
{% for db in mysql_databases %}
{% if db.replicate|default(1) %}
binlog_do_db = {{ db.name }}
{% else %}
binlog_ignore_db = {{ db.name }}
{% endif %}
{% endfor %}
{% endif %}
{% if mysql_replication_role == 'slave' %}
read_only
relay-log = relay-bin
relay-log-index = relay-bin.index
{% endif %}
{% endif %}
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links = 0
# User is ignored when systemd is used (fedora >= 15).
user = mysql
# http://dev.mysql.com/doc/refman/5.5/en/performance-schema.html
;performance_schema
# Memory settings.
key_buffer_size = {{ mysql_key_buffer_size }}
max_allowed_packet = {{ mysql_max_allowed_packet }}
table_open_cache = {{ mysql_table_open_cache }}
sort_buffer_size = {{ mysql_sort_buffer_size }}
read_buffer_size = {{ mysql_read_buffer_size }}
read_rnd_buffer_size = {{ mysql_read_rnd_buffer_size }}
myisam_sort_buffer_size = {{ mysql_myisam_sort_buffer_size }}
thread_cache_size = {{ mysql_thread_cache_size }}
{% if '8.0.' not in mysql_cli_version.stdout %}
query_cache_type = {{ mysql_query_cache_type }}
query_cache_size = {{ mysql_query_cache_size }}
query_cache_limit = {{ mysql_query_cache_limit }}
{% endif %}
max_connections = {{ mysql_max_connections }}
tmp_table_size = {{ mysql_tmp_table_size }}
max_heap_table_size = {{ mysql_max_heap_table_size }}
group_concat_max_len = {{ mysql_group_concat_max_len }}
join_buffer_size = {{ mysql_join_buffer_size }}
# Other settings.
wait_timeout = {{ mysql_wait_timeout }}
lower_case_table_names = {{ mysql_lower_case_table_names }}
event_scheduler = {{ mysql_event_scheduler_state }}
# InnoDB settings.
{% if mysql_supports_innodb_large_prefix and '8.0.' not in mysql_cli_version.stdout %}
innodb_large_prefix = {{ mysql_innodb_large_prefix }}
innodb_file_format = {{ mysql_innodb_file_format }}
{% endif %}
innodb_file_per_table = {{ mysql_innodb_file_per_table }}
innodb_buffer_pool_size = {{ mysql_innodb_buffer_pool_size }}
innodb_log_file_size = {{ mysql_innodb_log_file_size }}
innodb_log_buffer_size = {{ mysql_innodb_log_buffer_size }}
innodb_flush_log_at_trx_commit = {{ mysql_innodb_flush_log_at_trx_commit }}
innodb_lock_wait_timeout = {{ mysql_innodb_lock_wait_timeout }}
[mysqldump]
quick
max_allowed_packet = {{ mysql_mysqldump_max_allowed_packet }}
[mysqld_safe]
pid-file = {{ mysql_pid_file }}
{% if mysql_config_include_files | length %}
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir {{ mysql_config_include_dir }}
{% endif %}

5
roles/geerlingguy.mysql/templates/root-my.cnf.j2 Normal file
View File

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
[client]
user="{{ mysql_root_username }}"
password="{{ mysql_root_password }}"

5
roles/geerlingguy.mysql/templates/user-my.cnf.j2 Normal file
View File

@ -0,0 +1,5 @@
{{ ansible_managed | comment }}
[client]
user="{{ mysql_user_name }}"
password="{{ mysql_user_password }}"

12
roles/geerlingguy.mysql/vars/Archlinux.yml Normal file
View File

@ -0,0 +1,12 @@
---
__mysql_daemon: mariadb
__mysql_packages:
- mariadb
__mysql_slow_query_log_file: /var/log/mysql/mysql-slow.log
__mysql_log_error: /var/log/mysql.err
__mysql_syslog_tag: mysql
__mysql_pid_file: /run/mysqld/mysqld.pid
__mysql_config_file: /etc/mysql/my.cnf
__mysql_config_include_dir: /etc/mysql/conf.d
__mysql_socket: /run/mysqld/mysqld.sock
__mysql_supports_innodb_large_prefix: true

13
roles/geerlingguy.mysql/vars/Debian-10.yml Normal file
View File

@ -0,0 +1,13 @@
---
__mysql_daemon: mariadb
__mysql_packages:
- default-mysql-server
mysql_log_file_group: adm
__mysql_slow_query_log_file: /var/log/mysql/mysql-slow.log
__mysql_log_error: /var/log/mysql/mysql.log
__mysql_syslog_tag: mariadb
__mysql_pid_file: /run/mysqld/mysqld.pid
__mysql_config_file: /etc/mysql/my.cnf
__mysql_config_include_dir: /etc/mysql/conf.d
__mysql_socket: /run/mysqld/mysqld.sock
__mysql_supports_innodb_large_prefix: true

14
roles/geerlingguy.mysql/vars/Debian.yml Normal file
View File

@ -0,0 +1,14 @@
---
__mysql_daemon: mysql
__mysql_packages:
- mysql-common
- mysql-server
mysql_log_file_group: adm
__mysql_slow_query_log_file: /var/log/mysql/mysql-slow.log
__mysql_log_error: /var/log/mysql/mysql.err
__mysql_syslog_tag: mysql
__mysql_pid_file: /var/run/mysqld/mysqld.pid
__mysql_config_file: /etc/mysql/my.cnf
__mysql_config_include_dir: /etc/mysql/conf.d
__mysql_socket: /var/run/mysqld/mysqld.sock
__mysql_supports_innodb_large_prefix: true

16
roles/geerlingguy.mysql/vars/RedHat-7.yml Normal file
View File

@ -0,0 +1,16 @@
---
__mysql_daemon: mariadb
__mysql_packages:
- mariadb
- mariadb-server
- mariadb-libs
- MySQL-python
- perl-DBD-MySQL
__mysql_slow_query_log_file: /var/log/mysql-slow.log
__mysql_log_error: /var/log/mariadb/mariadb.log
__mysql_syslog_tag: mariadb
__mysql_pid_file: /var/run/mariadb/mariadb.pid
__mysql_config_file: /etc/my.cnf
__mysql_config_include_dir: /etc/my.cnf.d
__mysql_socket: /var/lib/mysql/mysql.sock
__mysql_supports_innodb_large_prefix: true

18
roles/geerlingguy.mysql/vars/RedHat-8.yml Normal file
View File

@ -0,0 +1,18 @@
---
__mysql_daemon: mariadb
__mysql_packages:
- mariadb
- mariadb-server
- mariadb-connector-c
- python3-PyMySQL
- perl-DBD-MySQL
__mysql_slow_query_log_file: /var/log/mysql-slow.log
__mysql_log_error: /var/log/mariadb/mariadb.log
__mysql_syslog_tag: mariadb
__mysql_pid_file: /var/run/mariadb/mariadb.pid
__mysql_config_file: /etc/my.cnf
__mysql_config_include_dir: /etc/my.cnf.d
__mysql_socket: /var/lib/mysql/mysql.sock
# The entries controlled by this value should not be used with MariaDB >= 10.2.2
# See https://github.com/frappe/bench/issues/681#issuecomment-398984706
__mysql_supports_innodb_large_prefix: false

29
roles/nll-dn42/.travis.yml Normal file
View File

@ -0,0 +1,29 @@
---
language: python
python: "2.7"
# Use the new container infrastructure
sudo: false
# Install ansible
addons:
apt:
packages:
- python-pip
install:
# Install ansible
- pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

38
roles/nll-dn42/README.md Normal file
View File

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

2
roles/nll-dn42/defaults/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# defaults file for nll-dn42

0
roles/nll-dn42/files/ca-dn42_20161122.0_all.deb Normal file
View File

0
roles/nll-dn42/files/cron_ Normal file
View File

24
roles/nll-dn42/files/dn42-ca.crt Normal file
View File

@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC
WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0
aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx
NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE
CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd
BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR
VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx
6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS
FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu
y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw
GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P
AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J
bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud
HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA
//8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11
S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl
aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu
P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI
9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC
1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ
C0IKqQ==
-----END CERTIFICATE-----

32
roles/nll-dn42/files/filter.txt Normal file
View File

@ -0,0 +1,32 @@
# For Quagga Rules:
# cat filter.txt | \
# grep -e ^[0-9] | \
# awk '{ print "ip prefix-list dn42-in seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | \
# sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g"
#
# For BIRD Rules: (see also: utils/bgp-filter.rb)
# cat filter.txt | \
# awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n" } \
# /^[0-9]/ && $2 ~ /permit/ {printf " %s{%s,%s},\n", $3, $4, $5};' | \
# sed "$ s/,$/\n ];\n}/"
# The rules MUST be sorted by the number column first and then the first matching rule MUST be used.
# ROAs MUST be checked against these rules and max-length of the ROA NUST NOT be longer than allowed by the matching rule.
#Nr Action Prefix MinLen MaxLen
0001 deny 172.22.166.0/24 24 32 # Black List due not responding to abuse mails after wiki grief.
1001 permit 172.20.0.0/24 28 32 # dn42 Anycast range
1002 permit 172.21.0.0/24 28 32 # dn42 Anycast range
1003 permit 172.22.0.0/24 28 32 # dn42 Anycast range
1004 permit 172.23.0.0/24 28 32 # dn42 Anycast range
1100 permit 172.20.0.0/14 21 29 # dn42 main net
2001 permit 10.100.0.0/14 14 32 # chaosvpn
2002 permit 10.127.0.0/16 16 32 # neonetwork
2003 permit 10.0.0.0/8 15 24 # freifunk
3001 permit 172.31.0.0/16 16 32 # chaosvpn
9999 deny 0.0.0.0/0 0 32 # block the rest

19
roles/nll-dn42/files/filter6.txt Normal file
View File

@ -0,0 +1,19 @@
# To Quagga Rules:
# cat filter6.txt | \
# grep -e ^[0-9] | \
# awk '{ print "ipv prefix-list dn42v6-in seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | \
# sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g"
#
# For BIRD Rules: (see also: utils/bgp-filter.rb)
# cat filter6.txt | \
# awk 'BEGIN {printf "function is_valid_network() {\n return net ~ [\n" } \
# /^[0-9]/ && $2 ~ /permit/ {printf " %s{%s,%s},\n", $3, $4, $5};' | \
# sed "$ s/,$/\n ];\n}/"
# The rules MUST be sorted by the number column first and then the first matching rule MUST be used. # ROAs MUST be checked against these rules and max-length of the ROA NUST NOT be longer than allowed by the matching rule.
# Nr Action Prefix MinLen MaxLen # Comment
1001 permit fd00::/8 44 64 # ULA (defined)
9999 deny ::/0 0 128 # block the rest

BIN
roles/nll-dn42/files/frr_exporter Executable file
View File

Binary file not shown.

BIN
roles/nll-dn42/files/frr_exporter-1.1.0.linux-amd64.tar.gz Normal file
View File

Binary file not shown.

BIN
roles/nll-dn42/files/ifupdown-ng_0.11.3-1_amd64.deb Normal file
View File

Binary file not shown.

BIN
roles/nll-dn42/files/node_exporter-1.3.1.linux-amd64.tar.gz Normal file
View File

Binary file not shown.

201
roles/nll-dn42/files/node_exporter-1.3.1.linux-amd64/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

17
roles/nll-dn42/files/node_exporter-1.3.1.linux-amd64/NOTICE Normal file
View File

@ -0,0 +1,17 @@
Configurable modular Prometheus exporter for various node metrics.
Copyright 2013-2015 The Prometheus Authors
This product includes software developed at
SoundCloud Ltd. (http://soundcloud.com/).
The following components are included in this product:
wifi
https://github.com/mdlayher/wifi
Copyright 2016-2017 Matt Layher
Licensed under the MIT License
netlink
https://github.com/mdlayher/netlink
Copyright 2016-2017 Matt Layher
Licensed under the MIT License

BIN
roles/nll-dn42/files/node_exporter-1.3.1.linux-amd64/node_exporter Executable file
View File

Binary file not shown.

BIN
roles/nll-dn42/files/prometheus_wireguard_exporter Executable file
View File

Binary file not shown.

3
roles/nll-dn42/files/resolv.conf Normal file
View File

@ -0,0 +1,3 @@
nameserver 172.21.74.134
nameserver 172.21.74.135
nameserver 2620:fe::fe

9
roles/nll-dn42/files/sync-dn42-ips.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
while read pl
do
vtysh -c 'conf t' -c "$pl"; #insert prefix list row by row
done < <(cat filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
vtysh -c "wr" #write new prefix list

BIN
roles/nll-dn42/filter_plugins/__pycache__/get_attr.cpython-310.pyc Normal file
View File

Binary file not shown.

BIN
roles/nll-dn42/filter_plugins/__pycache__/makedict.cpython-310.pyc Normal file
View File

Binary file not shown.

24
roles/nll-dn42/filter_plugins/get_attr.py Normal file
View File

@ -0,0 +1,24 @@
#!/usr/bin/env python
"""
Ansible filter plugin to convert key/val based array
into a key:val dictionary.
Filter supports custom names for key/val.
Author: DevOps <devops@flaconi.de>
Version: v0.1
Date: 2018-05-24
Usage:
var: "{{ an.array | default({}) | get_attr('key', 'val') }}"
"""
class FilterModule(object):
def filters(self):
return {
'get_attr': filter_list
}
def filter_list(array, key, value):
a = {}
for i in array:
a[i[key]] = i[value]
return a

3
roles/nll-dn42/filter_plugins/makedict.py Normal file
View File

@ -0,0 +1,3 @@
class FilterModule(object):
def filters(self):
return { 'makedict': lambda _val, _list: { k: _val for k in _list } }

2
roles/nll-dn42/handlers/main.yml Normal file
View File

@ -0,0 +1,2 @@
---
# handlers file for nll-dn42

52
roles/nll-dn42/meta/main.yml Normal file
View File

@ -0,0 +1,52 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

17
roles/nll-dn42/tasks/configure_firewall.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Allow prometheus endpoints not from default wan
ansible.builtin.iptables:
chain: INPUT
in_interface: "{{ dn42.main_if }}"
jump: DROP
destination_ports: 9000:9900
protocol: tcp
- name: Allow prometheus endpoints not from default wan
ansible.builtin.iptables:
chain: INPUT
in_interface: "{{ dn42.main_if }}"
jump: DROP
destination_ports: 9000:9900
protocol: tcp
ip_version: ipv6

62
roles/nll-dn42/tasks/install_base.yml Normal file
View File

@ -0,0 +1,62 @@
---
- name: Install packages needed on all nodes for bootstrapping
apt:
pkg:
- gnupg2
update_cache: yes
- ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '1'
sysctl_set: yes
state: present
reload: yes
loop:
- net.ipv4.conf.all.forwarding
- net.ipv6.conf.all.forwarding
- ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: yes
state: present
reload: yes
loop:
- net.ipv4.conf.all.rp_filter
- net.ipv4.conf.default.rp_filter
- name: Install FRR apt-key
ansible.builtin.apt_key:
url: https://deb.frrouting.org/frr/keys.asc
state: present
- name: Add FRR apt-repos
ansible.builtin.apt_repository:
repo: deb https://deb.frrouting.org/frr {{ ansible_distribution_release }} frr-8
- name: Install packages needed on all nodes
apt:
pkg:
- wireguard
- wireguard-tools
- frr
- frr-pythontools
- vim
- ufw
update_cache: yes
- name: Copy dn42 CA cert
ansible.builtin.copy:
src: ./dn42-ca.crt
dest: /usr/local/share/ca-certificates/dn42.crt
- name: Update ca-certificates
ansible.builtin.shell:
update-ca-certificates
- name: Deploy resolv.conf
ansible.builtin.copy:
src: ./resolv.conf
dest: /etc/resolv.conf
owner: root
group: root
mode: 0644

39
roles/nll-dn42/tasks/internal_network.yml Normal file
View File

@ -0,0 +1,39 @@
- name: Check if we already have a key
ansible.builtin.stat:
path: /etc/wireguard/dn42-nll-{{ item | replace("dn42-", "") }}.conf
loop: "{{ groups['dn42-router'] | difference([inventory_hostname]) }}"
register: dn42_internal_keys_exist
- name: Generate missing private keys
ansible.builtin.shell: privkey=$(wg genkey); pubkey=$( echo $privkey | wg pubkey ); echo $privkey; echo $pubkey
loop: "{{ groups['dn42-router'] | difference([inventory_hostname]) | difference(hosts_already_with_configs)}}"
vars:
hosts_already_with_configs: "{{ dn42_internal_keys_exist.results | selectattr('stat.exists', 'equalto', True) | map(attribute='item') }}"
register: wg_privkeys
- name: Get keys from all hosts where a file already exists
ansible.builtin.shell:
cmd: "priv=$(grep PrivateKey /etc/wireguard/dn42-nll-{{ item | replace('dn42-', '') }}.conf); priv=${priv#'PrivateKey = '}; echo $priv; echo $priv | wg pubkey"
loop: "{{ dn42_internal_keys_exist.results | selectattr('stat.exists', 'equalto', True) | map(attribute='item') }}"
register: existing_private_keys
check_mode: False
- name: Write wg-keys to variable
ansible.builtin.set_fact:
internal_wg: "{{ internal_wg + [ { 'peer': item.item, 'privkey': item.stdout_lines[0], 'pubkey': item.stdout_lines[1], 'listen_port': current_listen_port } ] }}"
current_listen_port: "{{ current_listen_port|int + 1 }}"
loop: "{{ wg_privkeys.results + existing_private_keys.results }}"
- name: Generate dn42 wireguard configs
ansible.builtin.template:
src: dn42-wireguard-internal.conf.j2
dest: /etc/wireguard/dn42-nll-{{ item.peer | replace('dn42-', '') }}.conf
mode: "0640"
loop: "{{ internal_wg | rejectattr('no_wireguard', 'defined') }}"
- name: Generate dn42 network configs
ansible.builtin.template:
src: dn42-network-internal.j2
dest: /etc/network/interfaces.d/dn42-nll-{{ item.peer | replace('dn42-', '') }}
mode: "0644"
loop: "{{ internal_wg }}"

50
roles/nll-dn42/tasks/main.yml Normal file
View File

@ -0,0 +1,50 @@
---
- name: Install base foo
ansible.builtin.include_tasks:
file: install_base.yml
- name: Include firewall config
ansible.builtin.include_tasks:
file: configure_firewall.yml
- name: Install configs for internal routing
ansible.builtin.include_tasks:
file: internal_network.yml
- name: Include basic router config
ansible.builtin.include_tasks:
file: router_config.yml
- name: Include monitoring config
ansible.builtin.include_tasks:
file: monitoring.yml
- name: Generate dn42 wireguard configs
ansible.builtin.template:
src: dn42-wireguard.conf.j2
dest: /etc/wireguard/dn42-{{ item.name }}.conf
mode: "0640"
loop: "{{ dn42.peers | rejectattr('no_wireguard', 'defined') }}"
- name: IPv6 DN42 Dummy Interface
ansible.builtin.blockinfile:
path: /etc/network/interfaces
block: |
auto dummy0
iface dummy0
link-type dummy
address {{ dn42.dn42_ipv6 }}
- name: Generate dn42 network configs
ansible.builtin.template:
src: dn42-network.conf.j2
dest: /etc/network/interfaces.d/dn42-{{ item.name }}
mode: "0644"
loop: "{{ dn42.peers | rejectattr('no_wireguard', 'defined') }}"
#- name: Generate frr config
# ansible.builtin.template:
# src: frr.conf.j2
# dest: /etc/frr/frr.conf
# owner: frr
# group: frr
# mode: "0640"
# tasks file for nll-dn42

128
roles/nll-dn42/tasks/monitoring.yml Normal file
View File

@ -0,0 +1,128 @@
### Node Exporter ###
- name: Install node_exporter on all nodes
ansible.builtin.copy:
src: node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
dest: /opt/node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
register: node_exporter_copy
- name: Extract node_exporter
ansible.builtin.command:
chdir: /opt
cmd: tar xvfz node_exporter-{{ node_exporter_version }}.linux-amd64.tar.gz
when: node_exporter_copy.changed
- name: Link folder to node_exporter
ansible.builtin.file:
src: /opt/node_exporter-{{ node_exporter_version }}.linux-amd64
dest: /opt/node_exporter
state: link
- name: Create user node_exporter
ansible.builtin.user:
name: node_exporter
shell: /sbin/nologin
- name: Creating node_exporter sysconfig file
ansible.builtin.copy:
dest: /etc/node_exporter
content: |
OPTIONS="--collector.textfile.directory /var/lib/node_exporter/textfile_collector"
- name: Create textfile_collector dir
ansible.builtin.file:
path: /var/lib/node_exporter/textfile_collector
state: directory
owner: node_exporter
group: node_exporter
- name: Creating node_exporter systemd unit
ansible.builtin.copy:
dest: /etc/systemd/system/node_exporter.service
content: |
[Unit]
Description=Node Exporter
[Service]
User=node_exporter
EnvironmentFile=/etc/node_exporter
ExecStart=/opt/node_exporter/node_exporter $OPTIONS
[Install]
WantedBy=multi-user.target
- name: Start and enable node_exporter systemd service
ansible.builtin.systemd:
name: node_exporter
enabled: yes
daemon_reload: yes
state: started
### FRR Exporter ###
- name: Install frr_exporter on all nodes
ansible.builtin.copy:
src: frr_exporter
dest: /usr/local/bin/frr_exporter
mode: 0755
- name: Creating frr_exporter systemd unit
ansible.builtin.copy:
dest: /etc/systemd/system/frr_exporter.service
content: |
[Unit]
Description=FRR Exporter
[Service]
User=root
ExecStart=/usr/local/bin/frr_exporter --collector.bgp6
[Install]
WantedBy=multi-user.target
- name: Start and enable frr_exporter systemd service
ansible.builtin.systemd:
name: frr_exporter
enabled: yes
daemon_reload: yes
state: started
### --- ###
### Wireguard Exporter ###
- name: Install wireguard exporter on all nodes
ansible.builtin.copy:
src: prometheus_wireguard_exporter
dest: /usr/local/bin/prometheus_wireguard_exporter
mode: 0755
- name: Creating frr_exporter systemd unit
ansible.builtin.copy:
dest: /etc/systemd/system/wireguard_exporter.service
content: |
[Unit]
Description=Wireguard Exporter
[Service]
User=root
ExecStart=/usr/local/bin/prometheus_wireguard_exporter $OPTIONS
[Install]
WantedBy=multi-user.target
- name: Start and enable wireguard_exporter systemd service
ansible.builtin.systemd:
name: wireguard_exporter
enabled: yes
daemon_reload: yes
state: started
- name: Allow connections to port 9100 only from prometheus IP
ansible.builtin.iptables:
chain: INPUT
destination_port: 9100
protocol: tcp
source: "! 172.21.74.128/26"
jump: DROP

33
roles/nll-dn42/tasks/router_config.yml Normal file
View File

@ -0,0 +1,33 @@
- name: Create dn42 directory
ansible.builtin.file:
path: /var/dn42/
state: directory
- name: Copy filter files
ansible.builtin.copy:
dest: /var/dn42/{{ item }}
src: "{{ item }}"
loop:
- "filter.txt"
- "filter6.txt"
register: filter_list
- name: Deploy ipv4 filter lists
ansible.builtin.shell:
executable: /bin/bash
cmd: |
vtysh -c 'conf t' -c "no ip prefix-list dn42"
while read pl
do
vtysh -c 'conf t' -c "$pl"
done < <(cat /var/dn42/filter.txt | grep -e ^[0-9] | awk '{ print "ip prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
vtysh -c "wr" #write new prefix list
vtysh -c 'conf t' -c "no ipv6 prefix-list dn42"
while read pl
do
vtysh -c 'conf t' -c "$pl"
done < <(cat /var/dn42/filter6.txt | grep -e ^[0-9] | awk '{ print "ipv prefix-list dn42 seq " $1 " " $2 " " $3 " ge " $4 " le " $5}' | sed "s_/\([0-9]\+\) ge \1_/\1_g;s_/\([0-9]\+\) le \1_/\1_g");
vtysh -c "wr" #write new prefix list
when: filter_list.changed

11
roles/nll-dn42/templates/dn42-network-internal.j2 Normal file
View File

@ -0,0 +1,11 @@
{% set peer_entry = (hostvars[item.peer]['internal_wg'] | selectattr('peer', 'equalto', inventory_hostname) | first) %}
{% set peer_name = "dn42-nll-" ~ (item.peer | replace('dn42-', '') ) %}
auto {{ peer_name }}
iface {{ peer_name }}
requires {{ dn42.main_if }}
wireguard-config-path /etc/wireguard/{{ peer_name }}.conf
address {{ dn42.internal_ipv4 }}
point-to-point {{ hostvars[item.peer]["dn42"]["internal_ipv4"] }}
address {{ dn42.internal_ipv6 }}/64
post-up ip -6 r add {{ hostvars[item.peer]["dn42"]["internal_ipv6"] }} dev {{ peer_name }}

8
roles/nll-dn42/templates/dn42-network.conf.j2 Normal file
View File

@ -0,0 +1,8 @@
auto dn42-{{ item.name }}
iface dn42-{{ item.name }}
requires {{ dn42.main_if }}
wireguard-config-path /etc/wireguard/dn42-{{ item.name }}.conf
address {{ item.own_ipv4 }}
point-to-point {{ item.remote_ipv4 }}
address {{ item.own_ipv6 }}
post-up ip -6 r add {{ item.remote_ipv6 }} dev dn42-{{ item.name }}

11
roles/nll-dn42/templates/dn42-wireguard-internal.conf.j2 Normal file
View File

@ -0,0 +1,11 @@
{% set peer_entry = (hostvars[item.peer]['internal_wg'] | selectattr('peer', 'equalto', inventory_hostname) | first) %}
[Interface]
PrivateKey = {{ item.privkey }}
ListenPort = {{ item.listen_port }}
[Peer]
Endpoint = {{ hostvars[item.peer]['ansible_host'] }}:{{ peer_entry['listen_port'] }}
PublicKey = {{ peer_entry['pubkey'] }}
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 25

11
roles/nll-dn42/templates/dn42-wireguard.conf.j2 Normal file
View File

@ -0,0 +1,11 @@
[Interface]
PrivateKey = {{ item.own_privkey }}
{% if item.listen_port is defined %}
ListenPort = {{ item.listen_port }}
{% endif %}
[Peer]
Endpoint = {{ item.endpoint }}
PublicKey = {{ item.remote_pubkey }}
AllowedIPs = 0.0.0.0/0,::/0
PersistentKeepalive = 25

100
roles/nll-dn42/templates/frr.conf.j2 Normal file
View File

@ -0,0 +1,100 @@
frr version 8.1
frr defaults traditional
hostname {{ inventory_hostname }}
log file /var/log/frr/frr.log
log stdout
log syslog
service integrated-vtysh-config
!
debug bgp updates in
debug bgp updates out
!
ip router-id {{ dn42.internal_ipv4 | ansible.netcommon.ipaddr('address') }}
!
router babel
{% for internal_peer in internal_wg %}
{% set peer_name = "dn42-nll-" ~ (internal_peer.peer | replace('dn42-', '') ) %}
{% if internal_peer.peer|string != inventory_hostname|string %}
network {{ peer_name }}
{% endif %}
{% endfor %}
redistribute ipv4 connected
redistribute ipv4 bgp
redistribute ipv6 connected
redistribute ipv6 bgp
exit
!
router bgp 4242423767
neighbor PUBLIC_TRANSIT peer-group
neighbor PUBLIC_TRANSIT_V6 peer-group
{% for neighbor in dn42.peers %}
neighbor {{ neighbor.remote_ipv4 }} remote-as {{ neighbor.remote_as }}
neighbor {{ neighbor.remote_ipv4 }} peer-group PUBLIC_TRANSIT
neighbor {{ neighbor.remote_ipv4 }} description {{ neighbor.name }}
neighbor {{ neighbor.remote_ipv6 }} remote-as {{ neighbor.remote_as}}
neighbor {{ neighbor.remote_ipv6 }} peer-group PUBLIC_TRANSIT_V6
neighbor {{ neighbor.remote_ipv6 }} description {{ neighbor.name }}_v6
neighbor {{ neighbor.remote_ipv6 }} interface dn42-{{ neighbor.name }}
!
{% endfor %}
!
address-family ipv4 unicast
network 172.21.74.128/26
neighbor PUBLIC_TRANSIT prefix-list dn42 in
neighbor PUBLIC_TRANSIT prefix-list dn42 out
neighbor PUBLIC_TRANSIT route-map RM_SET_SRC out
no neighbor PUBLIC_TRANSIT_V6 activate
exit-address-family
!
address-family ipv6 unicast
network fd68:a3ea:7c9a::/48
neighbor PUBLIC_TRANSIT_V6 activate
neighbor PUBLIC_TRANSIT_V6 prefix-list dn42 in
neighbor PUBLIC_TRANSIT_V6 prefix-list dn42 out
exit-address-family
exit
!
ip prefix-list allow-only-own seq 10 permit 172.21.74.128/26
ip prefix-list allow-only-own seq 9999 deny 0.0.0.0/0 le 32
ip prefix-list dn42 seq 1 deny 172.22.166.0/24 le 32
ip prefix-list dn42 seq 1001 permit 172.20.0.0/24 ge 28 le 32
ip prefix-list dn42 seq 1002 permit 172.21.0.0/24 ge 28 le 32
ip prefix-list dn42 seq 1003 permit 172.22.0.0/24 ge 28 le 32
ip prefix-list dn42 seq 1004 permit 172.23.0.0/24 ge 28 le 32
ip prefix-list dn42 seq 1100 permit 172.20.0.0/14 ge 21 le 29
ip prefix-list dn42 seq 2001 permit 10.100.0.0/14 le 32
ip prefix-list dn42 seq 2002 permit 10.127.0.0/16 le 32
ip prefix-list dn42 seq 2003 permit 10.0.0.0/8 ge 15 le 24
ip prefix-list dn42 seq 3001 permit 172.31.0.0/16 le 32
ip prefix-list dn42 seq 4001 permit 172.20.0.0/14 le 32
ip prefix-list dn42 seq 4002 permit 10.0.0.0/8 le 32
ip prefix-list dn42 seq 9999 deny 0.0.0.0/0 le 32
!
ipv6 prefix-list dn42 seq 1001 permit fd00::/8 ge 44 le 64
ipv6 prefix-list dn42 seq 9999 deny ::/0 le 128
!
route-map RM_SET_SRC permit 10
set src 172.21.74.129
exit
!
route-map ONLY_OWN permit 10
match ip address prefix-list allow-only-own
exit
!
route-map ONLY_OWN permit 10
match ipv6 address prefix-list allow-only-own
exit
!
route-map ONLY_DN42 permit 10
match ip address prefix-list dn42
exit
!
route-map ONLY_DN42 permit 20
match ipv6 address prefix-list dn42
exit
!
ip protocol babel route-map ONLY_DN42
ipv6 protocol babel route-map ONLY_DN42
!

2
roles/nll-dn42/tests/inventory Normal file
View File

@ -0,0 +1,2 @@
localhost

5
roles/nll-dn42/tests/test.yml Normal file
View File

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- nll-dn42

4
roles/nll-dn42/vars/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
# vars file for nll-dn42
internal_wg: []
current_listen_port: 65001

6
scripts/generate-full-mesh-dn42.py Normal file
View File

@ -0,0 +1,6 @@
#!/usr/bin/python3
from yaml import load,dump
with open('./inventory/nll-intern'):

2
site.yml Normal file
View File

@ -0,0 +1,2 @@
---
include_playbook: playbooks/gateway.yml