wip

2025-09-17 18:24:14 +02:00 · 2022-07-21 22:44:49 +02:00
parent 2aa91ae05c
commit 0be718c78d
9 changed files with 168 additions and 9 deletions
--- a/ansible/inventory/host_vars/truenas-remote.sops.yaml
+++ b/ansible/inventory/host_vars/truenas-remote.sops.yaml
@@ -1,6 +1,8 @@
 kind: Secret
 root_api_key: ENC[AES256_GCM,data:e+g6jvxD9kBSYVbzGXR0QZZMAnxndPu04Dhs3UjNsjHyq+GQRlapPJDQmnTWFa11KaEK3lOiSmU4yxcRjbgG2t3a,iv:mLG+dFHrmndRm5fT4KU+TIOMiAg/urQ4Zv3YaRaoVlg=,tag:DXTWollNdF4o2Pe2qdyufw==,type:str]
 ansible_host: ENC[AES256_GCM,data:ldsDTnydWPMnAnOiSlVrkiiL6w==,iv:luNgXdV3uBRaGzBIlw4E5UrZqKBaakgwc+9YC9xXInM=,tag:MldHmJpsOqe7oJMA83Xm9g==,type:str]
+ansible_password: ENC[AES256_GCM,data:6F+H0sO8BP7QSZxE6hE=,iv:GOMmcmYZVbT+UbjmHZf4f8jJaBEKV7JWDVpoMQ0QPsI=,tag:YZHl5Sy0wMLibgN7wJ7SNw==,type:str]
+ansible_become_pass: ENC[AES256_GCM,data:KFih2YRvhMLDao5fQ+Q=,iv:cv54gnuCtg6Nt/XbUJ2osNnvPTGhnpKLc5btMY/cSW8=,tag:uxgxAj6WLqms+S2N677kyg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -16,8 +18,8 @@ sops:
            ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2
            R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-07-04T18:20:37Z"
-    mac: ENC[AES256_GCM,data:IzuN61G8NkZwqNDkIQQPNVODoxgPQieRlSTcInajbBUdHHdVkFRlyLI2INoGd1RDDV06NsmJPM3Yj6fRlWlF4iRCO60cEHgnSyq3FRcFa6oKe9f5p5hmIBin8KMIAQOinNf8/4kqUpkZOFeY/fViBayin1cYgJ2MlMYtZRFVt0A=,iv:2DNQdjHRbtTlTgSVOrS/UTeSaVOhldbf+ek2e1gNv5s=,tag:ef/4Xtbf/021Z5NHv8Up9A==,type:str]
+    lastmodified: "2022-07-21T19:48:24Z"
+    mac: ENC[AES256_GCM,data:nEaUZqbbRmmU69uLvsJODfzG/LmehP+B9PV1aVxLJD66VJrZR/eO70NohrAGC49PPJgt/I92NJmFLYZ6vtyz/IMTPSEckv/mxHR0U7AQ8+CSnwa8Alzd85OAa9fq4XZ17BBnuT+wBHdPq1H99zLw08MXShCxzx/1ygtb58DDj+k=,iv:5VtAIHJIxONYimmiakxZL12M6+Rig9urEVVAQcEBcbk=,tag:ojoIcXajAXYeTB3vOTIYBw==,type:str]
    pgp: []
    unencrypted_regex: ^(kind)$
    version: 3.7.3
--- a/ansible/inventory/host_vars/truenas.sops.yaml
+++ b/ansible/inventory/host_vars/truenas.sops.yaml
@@ -1,5 +1,7 @@
 kind: Secret
 root_api_key: ENC[AES256_GCM,data:Fhj1MGeHxe/A6O7uVjMrCEu7J4rsiWrhbXgbAenb5CunoRPu0XLV/227WAFc4wFkboFNnt3bjzugvdvM5w/0JSry,iv:7uuHkrSKGShhIso8RgIJsOSYOxBiyyM/D5Dg+IGDh1Y=,tag:dP4gfIIUAEBUm91h5IHSug==,type:str]
+ansible_password: ENC[AES256_GCM,data:zRaOy+b26VWMCVIPKLU=,iv:S+BX0fqVizWTZZr0A4MaXkw/4XhE2Pb+RGPjvnWuUpk=,tag:TUcGk8Hp9Zv17L/pmX4E7g==,type:str]
+ansible_become_pass: ENC[AES256_GCM,data:xGVU7dW/MMI9bV6Vz+M=,iv:6/ikVQfHxjdCy5KKT+Yksj/OFws2WRcy8oDI2Oay7Eo=,tag:JOLmvpOAIjIHJ/K7Eaoxjw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@@ -15,8 +17,8 @@ sops:
            aG5zWW1XclBOS2cxMkwzZ3c1R1psNGsKzeSHHV7AYXCUNiiXJlBRFVWMZtfK3naj
            VRtF22+DYfjumQuwam2ZzhdLQ//1ciHnkJc58dKeTbYUHzC+fWpaZQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-07-03T14:40:48Z"
-    mac: ENC[AES256_GCM,data:ple3qtcoOwSBg0AbkZSFAwySlvBYvk5/6jx3rsj1lptNDNGQyGd+X9oYqtAN+f58Q8y2Wbn+KwVWpKTvFzX6lEedv6iR0rFpPW6mMTX8Py8vboD2hCp96hpBMtNqf4JLIzPQoc5WG5kK88KDc17/M2HaQFPX56YSCHn0ABnH8Vg=,iv:o5WZqE3doTnpbFmBP77U6yKRvmCPgXVCjYQ0Z2VaR0I=,tag:e72lHlzwLX90pz36RJXsuw==,type:str]
+    lastmodified: "2022-07-21T19:48:18Z"
+    mac: ENC[AES256_GCM,data:nBonR9Ab5aY+F7w0HE+TRLScRtF5cQNxh3Uvc7jewiLnieolRQtfNiGzKk4YRgqFV8zRTbwS0jvpiqynhxl/ctIKWl2odVDrNkZljidn3jbSz5HUp+f6zxP3DCRXzsBFpunDT8CSdHBhdUWv+82WtFwg2pLH+nTtY11QkH4rQQk=,iv:ILeqDNEEPnb0serEObPMA2LC16ddScH1NwOiZ0M0EHo=,tag:puyv0jvBkCm/X/za6u3oVA==,type:str]
    pgp: []
    unencrypted_regex: ^(kind)$
    version: 3.7.3
--- a/ansible/inventory/host_vars/truenas.yaml
+++ b/ansible/inventory/host_vars/truenas.yaml
@@ -2,3 +2,4 @@ main_nas: true
 pool_name: storage
 service_s3: true
 snapshots_interval: "daily:14,weekly:12,monthly:3"
+postgres_version: 14
--- a/ansible/inventory/hosts.yml
+++ b/ansible/inventory/hosts.yml
@@ -14,6 +14,10 @@ all:
          ansible_port: 35875
      vars:
        ansible_user: homelab
+    truenas-jails:
+      hosts:
+        borgserver:
+        postgres:
 kubernetes:
  children:
    master:
--- a/ansible/roles/truenas/tasks/jail-postgres.yml
+++ b/ansible/roles/truenas/tasks/jail-postgres.yml
@@ -0,0 +1,67 @@
+---
+- name: jail-postgres | get jail ip
+  ansible.builtin.shell:
+    cmd: iocage exec postgres ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }'
+  changed_when: false
+  register: jail_ip
+  become: true
+
+# TODO : check if postgres already installed
+# - block:
+#     - name: jail-postgres | create zfs pools
+#       community.general.zfs:
+#         name: "{{ item }}"
+#         state: present
+#       loop:
+#         - "{{ pool_name }}/jail-mounts"
+#         - "{{ pool_name }}/jail-mounts/postgres"
+#         - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}"
+#         - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/base"
+#         - "{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }}/pg_wal"
+
+#     - name: jail-postgres | configure zfs pool postgresql
+#       community.general.zfs:
+#         name: "{{ pool_name }}/jail-mounts/postgres"
+#         state: present
+#         extra_zfs_properties:
+#           atime: off
+#           setuid: off
+
+#     - name: jail-postgres | configure zfs pool postgresql
+#       community.general.zfs:
+#         name: "{{ pool_name }}/jail-mounts/postgres"
+#         state: present
+#         extra_zfs_properties:
+#           atime: off
+#           setuid: off
+
+#     - name: jail-postgres | create empty data{{ postgres_version }}dir
+#       ansible.builtin.shell:
+#         cmd: iocage exec postgres mkdir -p /var/db/postgres/data{{ postgres_version }}
+
+#     - name: jail-postgres | mount data {{ postgres_version }}
+#       ansible.builtin.shell:
+#         cmd: iocage fstab -a postgres /mnt/{{ pool_name }}/jail-mounts/postgres/data{{ postgres_version }} /var/db/postgres/data{{ postgres_version }} nullfs rw 0 0
+#       become: true
+
+- block:
+    - name: jail-postgres | packages
+      community.general.pkgng:
+        name:
+          - postgresql{{ postgres_version }}-server
+          - postgresql{{ postgres_version }}-contrib
+          - postgresql{{ postgres_version }}-client
+        state: present
+
+    - name: jail-postgres | change postgres/data{{ postgres_version }} mod
+      ansible.builtin.file:
+        path: /var/db/postgres/data{{ postgres_version }}
+        owner: postgres
+        group: postgres
+
+    - name: jail-postgres | initdb
+      ansible.builtin.shell:
+        cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ postgres_version }}'
+
+  delegate_to: "{{ jail_ip.stdout }}"
+  remote_user: root
--- a/ansible/roles/truenas/tasks/jails-prepare.yml
+++ b/ansible/roles/truenas/tasks/jails-prepare.yml
@@ -0,0 +1,24 @@
+---
+- name: jail-prepare | create .ssh directory
+  ansible.builtin.shell:
+    cmd: iocage exec postgres 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys'
+
+- name: jail-prepare | deploy ssh keys
+  ansible.builtin.shell:
+    cmd: iocage exec postgres 'echo "{{ item }}" >> /root/.ssh/authorized_keys'
+  loop: "{{ public_ssh_keys }}"
+
+- name: jail-prepare | activate sshd
+  ansible.builtin.shell:
+    cmd: iocage exec postgres 'sysrc sshd_enable="YES"'
+
+- name: jail-prepare | sshd permit root login
+  ansible.builtin.shell:
+    cmd: iocage exec postgres 'echo "PermitRootLogin yes" > /etc/ssh/sshd_config'
+
+- name: jail-prepare | start sshd
+  ansible.builtin.shell:
+    cmd: iocage exec postgres 'service sshd start'
+
+- name: jail-prepare | install packages
+  ansible.builtin.raw: pkg install -y python3 bash; ln -s /usr/local/bin/bash /bin/bash
--- a/ansible/roles/truenas/tasks/jails.yml
+++ b/ansible/roles/truenas/tasks/jails.yml
@@ -0,0 +1,52 @@
+---
+- name: jails | check if jail exist
+  ansible.builtin.shell:
+    cmd: iocage list | grep {{ item }}
+  loop: "{{ groups['truenas-jails'] }}"
+  register: jails_check
+  failed_when: jails_check.rc != 0 and jails_check.rc != 1
+
+- name: jails | is iocage fetch required
+  ansible.builtin.set_fact:
+    jail_missing: true
+  loop: "{{ jails_check.results }}"
+  when: item.rc == 1
+
+- block:
+    - name: jails | get current FreeBSD release
+      ansible.builtin.shell:
+        cmd: freebsd-version -k
+      register: release
+      failed_when: release.rc != 0
+
+    - name: jails | fetch iocage template {{ release.stdout }}
+      ansible.builtin.shell:
+        cmd: iocage fetch -r {{ release.stdout }}
+      become: true
+
+    - name: jails | create jail
+      ansible.builtin.shell:
+        cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on
+      loop: "{{ jails_check.results }}"
+      when: item.rc == 1
+      become: true
+  when: jail_missing
+
+- name: jails | check jails states
+  ansible.builtin.shell:
+    cmd: iocage get state {{ item }}
+  loop: "{{ groups['truenas-jails'] }}"
+  register: jails_state
+
+- name: jails | start jails
+  ansible.builtin.shell:
+    cmd: iocage start {{ item.item }}
+  loop: "{{ jails_state.results }}"
+  when: item.stdout == "down"
+  become: true
+
+- name: jails | prepare jails
+  ansible.builtin.include_tasks: jails-prepare.yml
+  loop: "{{ jails_state.results }}"
+  when: item.stdout == "down"
+  become: true
--- a/ansible/roles/truenas/tasks/main.yml
+++ b/ansible/roles/truenas/tasks/main.yml
@@ -1,9 +1,15 @@
 ---
- ansible.builtin.include_tasks: directories.yml
+# - ansible.builtin.include_tasks: directories.yml

- ansible.builtin.include_tasks: scripts.yml
+# - ansible.builtin.include_tasks: scripts.yml

- ansible.builtin.include_tasks: telegraf.yml
+# - ansible.builtin.include_tasks: telegraf.yml

- ansible.builtin.include_tasks: wireguard.yml
-  when: "main_nas == false"
+# - ansible.builtin.include_tasks: wireguard.yml
+#   when: "main_nas == false"
+
+# - ansible.builtin.include_tasks: jails.yml
+#   when: "main_nas"
+
+- ansible.builtin.include_tasks: jail-postgres.yml
+  when: "main_nas"
--- a/ansible/roles/truenas/vars/main.yml
+++ b/ansible/roles/truenas/vars/main.yml
@@ -0,0 +1 @@
+jail_missing: false