1.0.0 Release IaaS

2026-03-15 04:41:02 +09:00
commit a7365da431
292 changed files with 36059 additions and 0 deletions
--- a/ansible/roles/common/tasks/services/set_alloy.yaml
+++ b/ansible/roles/common/tasks/services/set_alloy.yaml
@@ -0,0 +1,73 @@
+---
+- name: Gather system facts (hardware)
+  ansible.builtin.setup:
+    gather_subset:
+      - hardware
+  become: true
+
+- name: Deploy alloy deb file (x86_64)
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['data_path'] }}/bin/alloy-{{ version['packages']['alloy'] }}-amd64.deb"
+    dest: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  when: ansible_facts['architecture'] == "x86_64"
+
+- name: Deploy alloy deb file (aarch64)
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['data_path'] }}/bin/alloy-{{ version['packages']['alloy'] }}-arm64.deb"
+    dest: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  when: ansible_facts['architecture'] == "aarch64"
+
+- name: Install alloy
+  ansible.builtin.apt:
+    deb: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
+    state: "present"
+  become: true
+
+- name: Deploy alloy config
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/alloy/config.alloy.j2"
+    dest: "/etc/alloy/config.alloy"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "notification_restart_alloy"
+  no_log: true
+
+- name: Create alloy.service.d
+  ansible.builtin.file:
+    path: "/etc/systemd/system/alloy.service.d"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  become: true
+
+- name: Set alloy.service.d/override.conf
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/alloy.service.d/override.conf"
+    content: |
+      [Service]
+      Restart=always
+      RestartSec=60
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "notification_restart_alloy"
+
+- name: Enable alloy service
+  ansible.builtin.systemd:
+    name: "alloy.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+  become: true
--- a/ansible/roles/common/tasks/services/set_caddy.yaml
+++ b/ansible/roles/common/tasks/services/set_caddy.yaml
@@ -0,0 +1,99 @@
+---
+# infra, auth, app (vmm, fw has no podman in it)
+- name: Create caddy directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/containers/{{ item }}"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    state: "directory"
+    mode: "0770"
+  loop:
+    - "caddy"
+    - "caddy/etc"
+    - "caddy/data"
+    - "caddy/build"
+  become: true
+
+- name: Create caddy log directory for auth
+  ansible.builtin.file:
+    path: /var/log/caddy
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    state: "directory"
+    mode: "0755"
+  become: true
+  when: node['name'] == "auth"
+
+- name: Register acme key to podman secret
+  containers.podman.podman_secret:
+    name: "CADDY_ACME_KEY"
+    data: "{{ hostvars['console']['ca']['acme_key'] }}"
+    state: "present"
+    force: true
+  notify: "notification_restart_caddy"
+  no_log: true
+
+- name: Register crowdsec bouncer key to podman secret
+  containers.podman.podman_secret:
+    name: "CADDY_CROWDSEC_KEY"
+    data: "{{ hostvars['console']['crowdsec']['bouncer']['caddy'] }}"
+    state: "present"
+    force: true
+  when: node['name'] == "auth"
+  notify: "notification_restart_caddy"
+  no_log: true
+
+- name: Deploy containerfile for build
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/common/caddy/build/caddy.containerfile.j2"
+    dest: "{{ node['home_path'] }}/containers/caddy/build/Containerfile"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0640"
+
+- name: Deploy root crt for build
+  ansible.builtin.copy:
+    content: "{{ hostvars['console']['ca']['root']['crt'] }}"
+    dest: "{{ node['home_path'] }}/containers/caddy/build/ilnmors_root_ca.crt"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0640"
+  no_log: true
+
+- name: Build caddy container image
+  containers.podman.podman_image:
+    name: "ilnmors.internal/{{ node['name'] }}/caddy"
+    # check tags from container file
+    tag: "{{ version['containers']['caddy'] }}"
+    state: "build"
+    path: "{{ node['home_path'] }}/containers/caddy/build"
+
+- name: Prune caddy dangling images
+  containers.podman.podman_prune:
+    image: true
+
+- name: Deploy caddyfile
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/common/caddy/etc/{{ node['name'] }}/Caddyfile.j2"
+    dest: "{{ node['home_path'] }}/containers/caddy/etc/Caddyfile"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600"
+  notify: "notification_restart_caddy"
+
+- name: Deploy container file
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/common/caddy/caddy.container.j2"
+    dest: "{{ node['home_path'] }}/.config/containers/systemd/caddy.container"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0644"
+  notify: "notification_restart_caddy"
+
+- name: Enable caddy
+  ansible.builtin.systemd:
+    name: "caddy.service"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+    scope: "user"
--- a/ansible/roles/common/tasks/services/set_crowdsec.yaml
+++ b/ansible/roles/common/tasks/services/set_crowdsec.yaml
@@ -0,0 +1,304 @@
+---
+- name: Check crowdsec installed
+  ansible.builtin.shell: |
+    command -v crowdsec
+  changed_when: false
+  failed_when: false
+  register: "is_crowdsec_installed"
+  ignore_errors: true
+
+- name: Check crowdsec bouncer installed
+  ansible.builtin.shell: |
+    command -v crowdsec-firewall-bouncer
+  when: node['name'] == "fw"
+  changed_when: false
+  failed_when: false
+  register: "is_crowdsec_bouncer_installed"
+  ignore_errors: true
+
+- name: Install crowdsec
+  ansible.builtin.apt:
+    name: "crowdsec"
+    state: "present"
+  become: true
+  when: is_crowdsec_installed.rc != 0
+
+- name: Install crowdsec bouncers
+  ansible.builtin.apt:
+    name: "crowdsec-firewall-bouncer"
+    state: "present"
+  become: true
+  when:
+    - node['name'] == "fw"
+    - is_crowdsec_bouncer_installed.rc != 0
+
+- name: Set acquis.d list for bouncer
+  ansible.builtin.set_fact:
+    acquisd_list:
+      fw:
+        collection: "crowdsecurity/suricata"
+        config: "suricata.yaml"
+      auth:
+        collection: "crowdsecurity/caddy"
+        config: "caddy.yaml"
+
+- name: Deploy crowdsec-update service files
+  ansible.builtin.copy:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/crowdsec/{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    validate: "/usr/bin/systemd-analyze verify %s"
+  loop:
+    - "crowdsec-update.service"
+    - "crowdsec-update.timer"
+  become: true
+
+- name: Deploy crowdsec config.yaml
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/crowdsec/etc/config.yaml.j2"
+    dest: "/etc/crowdsec/config.yaml"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "notification_restart_crowdsec"
+  no_log: true
+
+- name: Deploy crowdsec local_api_credentials.yaml
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/crowdsec/etc/local_api_credentials.yaml.j2"
+    dest: "/etc/crowdsec/local_api_credentials.yaml"
+    owner: "root"
+    group: "root"
+    mode: "0600"
+  become: true
+  notify: "notification_restart_crowdsec"
+  no_log: true
+
+- name: Set Crowdsec LAPI configuration
+  when: node['name'] == "fw"
+  block:
+    - name: Create crowdsec ssl directory
+      ansible.builtin.file:
+        path: "/etc/crowdsec/ssl"
+        state: "directory"
+        owner: "root"
+        group: "root"
+        mode: "0700"
+      become: true
+
+    - name: Deploy crowdsec lapi ssl certificate
+      ansible.builtin.copy:
+        content: |
+          {{ hostvars['console']['crowdsec']['crt'] | trim }}
+          {{ hostvars['console']['ca']['intermediate']['crt'] }}
+        dest: "/etc/crowdsec/ssl/crowdsec.crt"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+      become: true
+      notify: "notification_restart_crowdsec"
+      no_log: true
+
+    - name: Deploy crowdsec lapi ssl key
+      ansible.builtin.copy:
+        content: |
+          {{ hostvars['console']['crowdsec']['key'] }}
+        dest: "/etc/crowdsec/ssl/crowdsec.key"
+        owner: "root"
+        group: "root"
+        mode: "0400"
+      become: true
+      notify: "notification_restart_crowdsec"
+      no_log: true
+
+    - name: Get existing machines list
+      ansible.builtin.command:
+        cmd: "cscli machines list -o json"
+      become: true
+      changed_when: false
+      register: "existing_crowdsec_machines_list"
+
+    - name: Set existing machines' name
+      ansible.builtin.set_fact:
+        existing_machines_name: "{{ existing_crowdsec_machines_list.stdout | from_json | map(attribute='machineId') | list }}"
+
+    - name: Set goal machines' name
+      ansible.builtin.set_fact:
+        machines_name: ["fw", "vmm", "infra", "auth", "app"]
+      no_log: true
+
+    - name: Prune unknown (random) machines
+      ansible.builtin.command:
+        cmd: "cscli machines delete {{ item }}"
+      loop: "{{ existing_machines_name | difference(machines_name) }}"
+      become: true
+      changed_when: true
+
+    - name: Register crowdsec machines to LAPI server
+      ansible.builtin.command:
+        cmd: "cscli machines add {{ item }} --password {{ hostvars['console']['crowdsec']['machine'][item] }} --force -f /dev/null"
+      loop: "{{ machines_name }}"
+      become: true
+      changed_when: false
+      no_log: true
+
+    - name: Get existing bouncers list
+      ansible.builtin.command:
+        cmd: "cscli bouncers list -o json"
+      become: true
+      register: "existing_crowdsec_bouncers_list"
+      changed_when: false
+
+    - name: Set existing bouncers' name
+      ansible.builtin.set_fact:
+        existing_bouncers_name: "{{ existing_crowdsec_bouncers_list.stdout | from_json | map(attribute='name') | list }}"
+
+    - name: Flush bouncers
+      ansible.builtin.command:
+        cmd: "cscli bouncers delete {{ item }}"
+      loop: "{{ existing_bouncers_name }}"
+      become: true
+      changed_when: true
+
+    - name: Set bouncers' name
+      ansible.builtin.set_fact:
+        bouncers_name: ["fw", "caddy"]
+
+    - name: Register Firewall Bouncer to LAPI
+      ansible.builtin.command:
+        cmd: "cscli bouncers add {{ item }}-bouncer -k {{ hostvars['console']['crowdsec']['bouncer'][item] }}"
+      loop: "{{ bouncers_name }}"
+      become: true
+      changed_when: true
+      notify: "notification_restart_crowdsec_bouncer"
+      no_log: true
+
+- name: Set crowdsec bouncer
+  when: node['name'] in acquisd_list
+  block:
+    - name: Install crowdsec collection
+      ansible.builtin.command:
+        cmd: "cscli collections install {{ acquisd_list[node['name']]['collection'] }}"
+      become: true
+      changed_when: "'overwrite' not in is_collection_installed.stderr"
+      failed_when:
+        - is_collection_installed.rc != 0
+        - "'already installed' not in is_collection_installed.stderr"
+      register: "is_collection_installed"
+
+    - name: Create crowdsec acquis.d directory
+      ansible.builtin.file:
+        path: "/etc/crowdsec/acquis.d"
+        state: "directory"
+        owner: "root"
+        group: "root"
+        mode: "0755"
+      become: true
+
+    - name: Create whitelists.yaml
+      ansible.builtin.template:
+        src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2"
+        dest: "/etc/crowdsec/parsers/s02-enrich/whitelists.yaml"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+      become: true
+      notify:
+        - "notification_restart_crowdsec"
+        - "notification_restart_crowdsec_bouncer"
+      no_log: true
+
+    - name: Deploy acquis.d file
+      ansible.builtin.copy:
+        src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/crowdsec/acquis.d/{{ acquisd_list[node['name']]['config'] }}"
+        dest: "/etc/crowdsec/acquis.d/{{ acquisd_list[node['name']]['config'] }}"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+      become: true
+      notify: "notification_restart_crowdsec"
+
+    - name: Set Crowdsec-Firewall-Bouncer
+      when: node['name'] == "fw"
+      block:
+        - name: Deploy crowdsec-firewall-bouncer.yaml
+          ansible.builtin.template:
+            src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.j2"
+            dest: "/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml"
+            owner: "root"
+            group: "root"
+            mode: "0600"
+          become: true
+          notify: "notification_restart_crowdsec_bouncer"
+
+        - name: Delete crowdsec-firewall-bouncer.yaml subfiles (.id, .local)
+          ansible.builtin.file:
+            path: "/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml.{{ item }}"
+            state: "absent"
+          loop:
+            - "local"
+            - "id"
+          become: true
+          notify: "notification_restart_crowdsec_bouncer"
+
+        - name: Create crowdsec-firewall-bouncer.service.d
+          ansible.builtin.file:
+            path: "/etc/systemd/system/crowdsec-firewall-bouncer.service.d"
+            state: "directory"
+            owner: "root"
+            group: "root"
+            mode: "0755"
+          become: true
+
+        - name: Set crowdsec-firewall-bouncer.service.d/override.conf
+          ansible.builtin.copy:
+            dest: "/etc/systemd/system/crowdsec-firewall-bouncer.service.d/override.conf"
+            content: |
+              [Service]
+              Type=simple
+              TimeoutStartSec=600
+              Restart=always
+              RestartSec=60
+            owner: "root"
+            group: "root"
+            mode: "0644"
+          become: true
+          notify: "notification_restart_crowdsec_bouncer"
+
+
+- name: Create crowdsec.service.d
+  ansible.builtin.file:
+    path: "/etc/systemd/system/crowdsec.service.d"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+  become: true
+
+- name: Set crowdsec.service.d/override.conf
+  ansible.builtin.copy:
+    dest: "/etc/systemd/system/crowdsec.service.d/override.conf"
+    content: |
+      [Service]
+      Restart=always
+      RestartSec=60
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  become: true
+  notify: "notification_restart_crowdsec"
+
+- name: Enable auto crowdsec rules update
+  ansible.builtin.systemd:
+    name: "crowdsec-update.timer"
+    state: "started"
+    enabled: true
+    daemon_reload: true
+  become: true
+
+# cscli bouncers list
+# cscli machines list
+# cscli metrics
--- a/ansible/roles/common/tasks/services/set_kopia.yaml
+++ b/ansible/roles/common/tasks/services/set_kopia.yaml
@@ -0,0 +1,137 @@
+---
+- name: Gather system facts (hardware)
+  ansible.builtin.setup:
+    gather_subset:
+      - hardware
+  become: true
+
+- name: Check kopia installation
+  ansible.builtin.shell: |
+    command -v kopia
+  changed_when: false
+  failed_when: false
+  register: "is_kopia_installed"
+  ignore_errors: true
+
+- name: Set console kopia
+  when: node['name'] == 'console'
+  block:
+    - name: Apply cli tools (x86_64)
+      ansible.builtin.apt:
+        deb: "{{ node['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-amd64.deb"
+        state: "present"
+      become: true
+      when:
+        - ansible_facts['architecture'] == "x86_64"
+        - is_kopia_installed.rc != 0
+    - name: Apply cli tools (aarch64)
+      ansible.builtin.apt:
+        deb: "{{ node['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-arm64.deb"
+        state: "present"
+      become: true
+      when:
+        - ansible_facts['architecture'] == "aarch64"
+        - is_kopia_installed.rc != 0
+    - name: Connect kopia server
+      environment:
+        KOPIA_PASSWORD: "{{ hostvars['console']['kopia']['user']['console'] }}"
+      ansible.builtin.shell: |
+        /usr/bin/kopia repository connect server \
+        --url=https://{{ infra_uri['kopia']['domain'] }}:{{ infra_uri['kopia']['ports']['https'] }} \
+        --override-username=console \
+        --override-hostname=console.ilnmors.internal
+      changed_when: false
+      failed_when: is_kopia_connected.rc != 0
+      register: "is_kopia_connected"
+      no_log: true
+
+- name: Set infra/app kopia
+  when: node['name'] in ['infra', 'app']
+  block:
+    - name: Set kopia uid
+      ansible.builtin.set_fact:
+        kopia_uid: 951
+    - name: Deploy kopia deb file (x86_64)
+      ansible.builtin.copy:
+        src: "{{ hostvars['console']['node']['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-amd64.deb"
+        dest: "/var/cache/apt/archives/kopia-{{ version['packages']['kopia'] }}.deb"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+      become: true
+      when: ansible_facts['architecture'] == "x86_64"
+    - name: Deploy kopia deb file (aarch64)
+      ansible.builtin.copy:
+        src: "{{ hostvars['console']['node']['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-arm64.deb"
+        dest: "/var/cache/apt/archives/kopia-{{ version['packages']['kopia'] }}.deb"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+      become: true
+      when: ansible_facts['architecture'] == "aarch64"
+    - name: Create kopia group
+      ansible.builtin.group:
+        name: "kopia"
+        gid: "{{ kopia_uid }}"
+        state: "present"
+      become: true
+    - name: Create kopia user
+      ansible.builtin.user:
+        name: "kopia"
+        uid: "{{ kopia_uid }}"
+        group: "kopia"
+        shell: "/usr/sbin/nologin"
+        password_lock: true
+        comment: "Kopia backup User"
+        state: "present"
+      become: true
+    - name: Create kopia directory
+      ansible.builtin.file:
+        path: "{{ item.name }}"
+        state: "directory"
+        owner: "kopia"
+        group: "root"
+        mode: "{{ item.mode }}"
+      loop:
+        - name: "/etc/kopia"
+          mode: "0700"
+        - name: "/etc/secrets/951"
+          mode: "0500"
+        - name: "/var/cache/kopia"
+          mode: "0700"
+      become: true
+      no_log: true
+    - name: Install kopia
+      ansible.builtin.apt:
+        deb: "/var/cache/apt/archives/kopia-{{ version['packages']['kopia'] }}.deb"
+        state: "present"
+      become: true
+      when: is_kopia_installed.rc != 0
+    - name: Deploy kopia env
+      ansible.builtin.template:
+        src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/kopia/kopia.env.j2"
+        dest: "/etc/secrets/{{ kopia_uid }}/kopia.env"
+        owner: "{{ kopia_uid }}"
+        group: "root"
+        mode: "0400"
+      become: true
+      no_log: true
+    - name: Deploy kopia service files
+      ansible.builtin.template:
+        src: "{{ hostvars['console']['node']['config_path'] }}/services/systemd/common/kopia/{{ item }}.j2"
+        dest: "/etc/systemd/system/{{ item }}"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+        validate: "/usr/bin/systemd-analyze verify %s"
+      loop:
+        - "kopia-backup.service"
+        - "kopia-backup.timer"
+      become: true
+    - name: Enable auto kopia rules update
+      ansible.builtin.systemd:
+        name: "kopia-backup.timer"
+        state: "started"
+        enabled: true
+        daemon_reload: true
+      become: true
--- a/ansible/roles/common/tasks/services/set_podman.yaml
+++ b/ansible/roles/common/tasks/services/set_podman.yaml
@@ -0,0 +1,46 @@
+---
+- name: Check podman installation
+  ansible.builtin.shell: |
+    command -v podman
+  changed_when: false
+  failed_when: false
+  register: "is_podman_installed"
+  ignore_errors: true
+
+- name: Create container directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/containers"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    state: "directory"
+    mode: "0700"
+
+- name: Create contaienr data directory for app
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/data/containers"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    state: "directory"
+    mode: "0770"
+  when: node['name'] == "app"
+
+- name: Install podman and reset ssh connection for initiating
+  when: is_podman_installed.rc != 0
+  become: true
+  block:
+    - name: Set subid scope (Overwrite)
+      ansible.builtin.copy:
+        content: |
+          {{ ansible_user }}:100000:65536
+        dest: "/etc/sub{{ item }}"
+        owner: "root"
+        group: "root"
+        mode: "0644"
+      loop:
+        - "uid"
+        - "gid"
+    - name: Install podman
+      ansible.builtin.apt:
+        name:
+          - "podman"
+        state: "present"