Fix sudo, use proxy, configure private registry

playingfield · Feb 21, 2025 · 7e9d535 · 7e9d535
1 parent 032c948
commit 7e9d535
Show file tree

Hide file tree

Showing 7 changed files with 88 additions and 39 deletions.
diff --git a/host-initialization.yml b/host-initialization.yml
@@ -1,53 +1,31 @@
 #!/usr/bin/env ansible-playbook
 ---
-- name: Network config
+- name: Controller config
   hosts: controller
   become: true
   gather_facts: false
-  tags: [hostsfile]
+  tags: [controller]
   tasks:
-    - name: Configure /etc/hosts
+    - name: Configure controller
       ansible.builtin.include_role:
-        name: clusterlust.hosts
+        name: clusterlust.controller
 
 - name: Network config
-  hosts: k8s_cluster
+  hosts: all
   become: true
   gather_facts: false
-  tags: [network]
+  tags: [hostsfile]
   tasks:
-    - name: Disable firewalld
-      ansible.builtin.systemd:
-        name: firewalld
-        state: stopped
-        enabled: false
-
-    - name: Disable AD DNS
-      ansible.builtin.lineinfile:
-        path: /etc/resolv.conf
-        regexp: 'nameserver 10.0.0.205'
-        line: 'nameserver 10.0.0.205'
-        state: absent
-
-    - name: Set hostname
-      ansible.builtin.hostname:
-        name: "{{ inventory_hostname }}"
-        use: systemd
+    - name: Configure /etc/hosts
+      ansible.builtin.include_role:
+        name: clusterlust.hosts
 
-- name: Proxy config
+- name: Node preparation
   hosts: k8s_cluster
   become: true
   gather_facts: false
-  tags: [proxy]
+  tags: [nodepreparation]
   tasks:
-    - name: Fix dnf
-      ansible.builtin.lineinfile:
-        path: /etc/dnf/dnf.conf
-        regexp: "{{ item.regexp }}"
-        line: "{{ item.line }}"
-        state: present
-      loop:
-        - regexp: '^proxy='
-          line: "proxy={{ http_proxy | default('') }}"
-        - regexp: '^repo_gpgcheck='
-          line: 'repo_gpgcheck=0'
+    - name: Configure cluster nodes
+      ansible.builtin.include_role:
+        name: clusterlust.nodepreparation
diff --git a/roles/clusterlust.controller/tasks/main.yml b/roles/clusterlust.controller/tasks/main.yml
@@ -0,0 +1,23 @@
+---
+- name: Check offline status
+  ansible.builtin.debug:
+    msg: "registry_user: {{ registry_user }}"
+    verbosity: 2
+
+- name: Registry login by semaphore user
+  become: true
+  become_user: semaphore
+  when: registry_pass is defined
+  environment:
+    REGISTRY_PASS: "{{ registry_pass }}"
+  ansible.builtin.command:
+    cmd: 'docker login -u="{{ registry_user }}" -p=$REGISTRY_PASS "{{ registry_host }}"'
+    creates: "/home/semaphore/.docker/config.json"
+
+- name: Save registry login for semaphore use
+  become: true
+  become_user: semaphore
+  when: registry_pass is defined
+  ansible.builtin.command:
+    cmd: cp -R /home/semaphore/.docker /home/semaphore/tmp/
+    creates: /home/semaphore/tmp/.docker/config.json
diff --git a/roles/clusterlust.hosts/tasks/main.yml b/roles/clusterlust.hosts/tasks/main.yml
@@ -1,4 +1,9 @@
 ---
+- name: Set hostname
+  ansible.builtin.hostname:
+    name: "{{ inventory_hostname }}"
+    use: systemd
+
 - name: Create /etc/hosts file
   ansible.builtin.template:
     src: hosts.j2

diff --git a/roles/clusterlust.hosts/templates/hosts.j2 b/roles/clusterlust.hosts/templates/hosts.j2
@@ -1,6 +1,8 @@
 # {{ ansible_managed }}
-127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
-::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
+127.0.0.1 localhost localhost4.localdomain4 localhost.localdomain localhost4
+::1 localhost6.localdomain localhost6
+# Ansible inventory hosts BEGIN
 {% for host in groups['all'] %}
-{{ hostvars[host]['ansible_host'] }}   {{ host }}
+{{ hostvars[host]['ansible_host'] }} {{ host }}.{{ cluster_name }} {{ host }}
 {% endfor %}
+# Ansible inventory hosts END
diff --git a/roles/clusterlust.nodepreparation/defaults/main.yml b/roles/clusterlust.nodepreparation/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+default_user: vagrant
diff --git a/roles/clusterlust.nodepreparation/tasks/main.yml b/roles/clusterlust.nodepreparation/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: Stop firewalld
+  ansible.builtin.systemd:
+    name: firewalld
+    state: stopped
+    enabled: false
+
+- name: "Empower {{ cluster_admin }}"
+  ansible.builtin.template:
+    src: sudo.j2
+    dest: /etc/sudoers.d/ansible
+    owner: root
+    group: root
+    mode: '0444'
+    validate: /usr/sbin/visudo -cf %s
+
+- name: Disable requiretty
+  ansible.builtin.lineinfile:
+    path: /etc/sudoers
+    regexp: 'Defaults.*requiretty'
+    line: 'Defaults !requiretty'
+    state: present
+    owner: root
+    group: root
+    mode: '0440'
+    validate: /usr/sbin/visudo -cf %s
+
+- name: Proxy dnf
+  when: http_proxy is defined
+  ansible.builtin.lineinfile:
+    path: /etc/dnf/dnf.conf
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    state: present
+  loop:
+    - regexp: '^proxy='
+      line: "proxy={{ http_proxy | default('') }}"
diff --git a/roles/clusterlust.nodepreparation/templates/sudo.j2 b/roles/clusterlust.nodepreparation/templates/sudo.j2
@@ -0,0 +1,2 @@
+# Ansible synchronize uses rsync which requires NOPASSWD
+{{ cluster_admin | default('admin') }} ALL=(ALL) NOPASSWD:ALL
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Ansible synchronize uses rsync which requires NOPASSWD
		{{ cluster_admin \| default('admin') }} ALL=(ALL) NOPASSWD:ALL