diff --git a/ansible/inventory/host_vars/truenas-remote.sops.yaml b/ansible/inventory/host_vars/truenas-remote.sops.yaml index 5965e79fb..82d53c342 100644 --- a/ansible/inventory/host_vars/truenas-remote.sops.yaml +++ b/ansible/inventory/host_vars/truenas-remote.sops.yaml @@ -1,6 +1,8 @@ kind: Secret root_api_key: ENC[AES256_GCM,data:e+g6jvxD9kBSYVbzGXR0QZZMAnxndPu04Dhs3UjNsjHyq+GQRlapPJDQmnTWFa11KaEK3lOiSmU4yxcRjbgG2t3a,iv:mLG+dFHrmndRm5fT4KU+TIOMiAg/urQ4Zv3YaRaoVlg=,tag:DXTWollNdF4o2Pe2qdyufw==,type:str] ansible_host: ENC[AES256_GCM,data:ldsDTnydWPMnAnOiSlVrkiiL6w==,iv:luNgXdV3uBRaGzBIlw4E5UrZqKBaakgwc+9YC9xXInM=,tag:MldHmJpsOqe7oJMA83Xm9g==,type:str] +ansible_password: ENC[AES256_GCM,data:6F+H0sO8BP7QSZxE6hE=,iv:GOMmcmYZVbT+UbjmHZf4f8jJaBEKV7JWDVpoMQ0QPsI=,tag:YZHl5Sy0wMLibgN7wJ7SNw==,type:str] +ansible_become_pass: ENC[AES256_GCM,data:KFih2YRvhMLDao5fQ+Q=,iv:cv54gnuCtg6Nt/XbUJ2osNnvPTGhnpKLc5btMY/cSW8=,tag:uxgxAj6WLqms+S2N677kyg==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +18,8 @@ sops: ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2 R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-07-04T18:20:37Z" - mac: ENC[AES256_GCM,data:IzuN61G8NkZwqNDkIQQPNVODoxgPQieRlSTcInajbBUdHHdVkFRlyLI2INoGd1RDDV06NsmJPM3Yj6fRlWlF4iRCO60cEHgnSyq3FRcFa6oKe9f5p5hmIBin8KMIAQOinNf8/4kqUpkZOFeY/fViBayin1cYgJ2MlMYtZRFVt0A=,iv:2DNQdjHRbtTlTgSVOrS/UTeSaVOhldbf+ek2e1gNv5s=,tag:ef/4Xtbf/021Z5NHv8Up9A==,type:str] + lastmodified: "2022-07-21T19:48:24Z" + mac: ENC[AES256_GCM,data:nEaUZqbbRmmU69uLvsJODfzG/LmehP+B9PV1aVxLJD66VJrZR/eO70NohrAGC49PPJgt/I92NJmFLYZ6vtyz/IMTPSEckv/mxHR0U7AQ8+CSnwa8Alzd85OAa9fq4XZ17BBnuT+wBHdPq1H99zLw08MXShCxzx/1ygtb58DDj+k=,iv:5VtAIHJIxONYimmiakxZL12M6+Rig9urEVVAQcEBcbk=,tag:ojoIcXajAXYeTB3vOTIYBw==,type:str] pgp: [] unencrypted_regex: ^(kind)$ version: 3.7.3 diff --git a/ansible/inventory/host_vars/truenas.sops.yaml b/ansible/inventory/host_vars/truenas.sops.yaml index 2f9a8f054..b056ec7f6 100644 --- a/ansible/inventory/host_vars/truenas.sops.yaml +++ b/ansible/inventory/host_vars/truenas.sops.yaml @@ -1,5 +1,7 @@ kind: Secret root_api_key: ENC[AES256_GCM,data:Fhj1MGeHxe/A6O7uVjMrCEu7J4rsiWrhbXgbAenb5CunoRPu0XLV/227WAFc4wFkboFNnt3bjzugvdvM5w/0JSry,iv:7uuHkrSKGShhIso8RgIJsOSYOxBiyyM/D5Dg+IGDh1Y=,tag:dP4gfIIUAEBUm91h5IHSug==,type:str] +ansible_password: ENC[AES256_GCM,data:zRaOy+b26VWMCVIPKLU=,iv:S+BX0fqVizWTZZr0A4MaXkw/4XhE2Pb+RGPjvnWuUpk=,tag:TUcGk8Hp9Zv17L/pmX4E7g==,type:str] +ansible_become_pass: ENC[AES256_GCM,data:xGVU7dW/MMI9bV6Vz+M=,iv:6/ikVQfHxjdCy5KKT+Yksj/OFws2WRcy8oDI2Oay7Eo=,tag:JOLmvpOAIjIHJ/K7Eaoxjw==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +17,8 @@ sops: aG5zWW1XclBOS2cxMkwzZ3c1R1psNGsKzeSHHV7AYXCUNiiXJlBRFVWMZtfK3naj VRtF22+DYfjumQuwam2ZzhdLQ//1ciHnkJc58dKeTbYUHzC+fWpaZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-07-03T14:40:48Z" - mac: ENC[AES256_GCM,data:ple3qtcoOwSBg0AbkZSFAwySlvBYvk5/6jx3rsj1lptNDNGQyGd+X9oYqtAN+f58Q8y2Wbn+KwVWpKTvFzX6lEedv6iR0rFpPW6mMTX8Py8vboD2hCp96hpBMtNqf4JLIzPQoc5WG5kK88KDc17/M2HaQFPX56YSCHn0ABnH8Vg=,iv:o5WZqE3doTnpbFmBP77U6yKRvmCPgXVCjYQ0Z2VaR0I=,tag:e72lHlzwLX90pz36RJXsuw==,type:str] + lastmodified: "2022-07-21T19:48:18Z" + mac: ENC[AES256_GCM,data:nBonR9Ab5aY+F7w0HE+TRLScRtF5cQNxh3Uvc7jewiLnieolRQtfNiGzKk4YRgqFV8zRTbwS0jvpiqynhxl/ctIKWl2odVDrNkZljidn3jbSz5HUp+f6zxP3DCRXzsBFpunDT8CSdHBhdUWv+82WtFwg2pLH+nTtY11QkH4rQQk=,iv:ILeqDNEEPnb0serEObPMA2LC16ddScH1NwOiZ0M0EHo=,tag:puyv0jvBkCm/X/za6u3oVA==,type:str] pgp: [] unencrypted_regex: ^(kind)$ version: 3.7.3 diff --git a/ansible/inventory/host_vars/truenas.yaml b/ansible/inventory/host_vars/truenas.yaml index 120c07c29..71ab71105 100644 --- a/ansible/inventory/host_vars/truenas.yaml +++ b/ansible/inventory/host_vars/truenas.yaml @@ -2,3 +2,4 @@ main_nas: true pool_name: storage service_s3: true snapshots_interval: "daily:14,weekly:12,monthly:3" +postgres_version: 14 diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index c40d8b02e..efb3e7171 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -14,6 +14,10 @@ all: ansible_port: 35875 vars: ansible_user: homelab + truenas-jails: + hosts: + borgserver: + postgres: kubernetes: children: master: diff --git a/ansible/roles/truenas/tasks/jail-postgres.yml b/ansible/roles/truenas/tasks/jail-postgres.yml new file mode 100644 index 000000000..33b199c98 --- /dev/null +++ b/ansible/roles/truenas/tasks/jail-postgres.yml @@ -0,0 +1,67 @@ +--- +- name: jail-postgres | get jail ip + ansible.builtin.shell: + cmd: iocage exec postgres ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }' + changed_when: false + register: jail_ip + become: true + +# TODO : check if postgres already installed +# - block: +# - name: jail-postgres | create zfs pools +# community.general.zfs: +# name: "{{ item }}" +# state: present +# loop: +# - "{{ pool_name }}/jail-mounts" +# - "{{ pool_name }}/jail-mounts/postgres" +# - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}" +# - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/base" +# - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/pg_wal" + +# - name: jail-postgres | configure zfs pool postgresql +# community.general.zfs: +# name: "{{ pool_name }}/jail-mounts/postgres" +# state: present +# extra_zfs_properties: +# atime: off +# setuid: off + +# - name: jail-postgres | configure zfs pool postgresql +# community.general.zfs: +# name: "{{ pool_name }}/jail-mounts/postgres" +# state: present +# extra_zfs_properties: +# atime: off +# setuid: off + +# - name: jail-postgres | create empty data{{ postgres_version }}dir +# ansible.builtin.shell: +# cmd: iocage exec postgres mkdir -p /var/db/postgres/data{{ postgres_version }} + +# - name: jail-postgres | mount data {{ postgres_version }} +# ansible.builtin.shell: +# cmd: iocage fstab -a postgres /mnt/{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }} /var/db/postgres/data{{ postgres_version }} nullfs rw 0 0 +# become: true + +- block: + - name: jail-postgres | packages + community.general.pkgng: + name: + - postgresql{{ postgres_version }}-server + - postgresql{{ postgres_version }}-contrib + - postgresql{{ postgres_version }}-client + state: present + + - name: jail-postgres | change postgres/data{{ postgres_version }} mod + ansible.builtin.file: + path: /var/db/postgres/data{{ postgres_version }} + owner: postgres + group: postgres + + - name: jail-postgres | initdb + ansible.builtin.shell: + cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ postgres_version }}' + + delegate_to: "{{ jail_ip.stdout }}" + remote_user: root diff --git a/ansible/roles/truenas/tasks/jails-prepare.yml b/ansible/roles/truenas/tasks/jails-prepare.yml new file mode 100644 index 000000000..6b1b60fe0 --- /dev/null +++ b/ansible/roles/truenas/tasks/jails-prepare.yml @@ -0,0 +1,24 @@ +--- +- name: jail-prepare | create .ssh directory + ansible.builtin.shell: + cmd: iocage exec postgres 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys' + +- name: jail-prepare | deploy ssh keys + ansible.builtin.shell: + cmd: iocage exec postgres 'echo "{{ item }}" >> /root/.ssh/authorized_keys' + loop: "{{ public_ssh_keys }}" + +- name: jail-prepare | activate sshd + ansible.builtin.shell: + cmd: iocage exec postgres 'sysrc sshd_enable="YES"' + +- name: jail-prepare | sshd permit root login + ansible.builtin.shell: + cmd: iocage exec postgres 'echo "PermitRootLogin yes" > /etc/ssh/sshd_config' + +- name: jail-prepare | start sshd + ansible.builtin.shell: + cmd: iocage exec postgres 'service sshd start' + +- name: jail-prepare | install packages + ansible.builtin.raw: pkg install -y python3 bash; ln -s /usr/local/bin/bash /bin/bash diff --git a/ansible/roles/truenas/tasks/jails.yml b/ansible/roles/truenas/tasks/jails.yml new file mode 100644 index 000000000..a2d604ed1 --- /dev/null +++ b/ansible/roles/truenas/tasks/jails.yml @@ -0,0 +1,52 @@ +--- +- name: jails | check if jail exist + ansible.builtin.shell: + cmd: iocage list | grep {{ item }} + loop: "{{ groups['truenas-jails'] }}" + register: jails_check + failed_when: jails_check.rc != 0 and jails_check.rc != 1 + +- name: jails | is iocage fetch required + ansible.builtin.set_fact: + jail_missing: true + loop: "{{ jails_check.results }}" + when: item.rc == 1 + +- block: + - name: jails | get current FreeBSD release + ansible.builtin.shell: + cmd: freebsd-version -k + register: release + failed_when: release.rc != 0 + + - name: jails | fetch iocage template {{ release.stdout }} + ansible.builtin.shell: + cmd: iocage fetch -r {{ release.stdout }} + become: true + + - name: jails | create jail + ansible.builtin.shell: + cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on + loop: "{{ jails_check.results }}" + when: item.rc == 1 + become: true + when: jail_missing + +- name: jails | check jails states + ansible.builtin.shell: + cmd: iocage get state {{ item }} + loop: "{{ groups['truenas-jails'] }}" + register: jails_state + +- name: jails | start jails + ansible.builtin.shell: + cmd: iocage start {{ item.item }} + loop: "{{ jails_state.results }}" + when: item.stdout == "down" + become: true + +- name: jails | prepare jails + ansible.builtin.include_tasks: jails-prepare.yml + loop: "{{ jails_state.results }}" + when: item.stdout == "down" + become: true diff --git a/ansible/roles/truenas/tasks/main.yml b/ansible/roles/truenas/tasks/main.yml index 1df06d640..b344729d3 100644 --- a/ansible/roles/truenas/tasks/main.yml +++ b/ansible/roles/truenas/tasks/main.yml @@ -1,9 +1,15 @@ --- -- ansible.builtin.include_tasks: directories.yml +# - ansible.builtin.include_tasks: directories.yml -- ansible.builtin.include_tasks: scripts.yml +# - ansible.builtin.include_tasks: scripts.yml -- ansible.builtin.include_tasks: telegraf.yml +# - ansible.builtin.include_tasks: telegraf.yml -- ansible.builtin.include_tasks: wireguard.yml - when: "main_nas == false" +# - ansible.builtin.include_tasks: wireguard.yml +# when: "main_nas == false" + +# - ansible.builtin.include_tasks: jails.yml +# when: "main_nas" + +- ansible.builtin.include_tasks: jail-postgres.yml + when: "main_nas" diff --git a/ansible/roles/truenas/vars/main.yml b/ansible/roles/truenas/vars/main.yml new file mode 100644 index 000000000..496ce040d --- /dev/null +++ b/ansible/roles/truenas/vars/main.yml @@ -0,0 +1 @@ +jail_missing: false