1.0.0 Release IaaS

2026-03-15 04:41:02 +09:00
commit a7365da431
292 changed files with 36059 additions and 0 deletions
--- a/ansible/roles/console/handlers/main.yaml
+++ b/ansible/roles/console/handlers/main.yaml
@@ -0,0 +1,8 @@
+---
+- name: Register font
+  ansible.builtin.shell: |
+    fc-cache -f -v
+  become: true
+  changed_when: false
+  listen: "notification_update_font"
+  ignore_errors: true # noqa: ignore-errors
--- a/ansible/roles/console/tasks/node/load_secret_vars.yaml
+++ b/ansible/roles/console/tasks/node/load_secret_vars.yaml
@@ -0,0 +1,29 @@
+---
+- name: Check sops installation (Prerequisite)
+  ansible.builtin.shell: |
+    command -v sops
+  changed_when: false
+  failed_when: false
+  register: "is_sops_installed"
+  ignore_errors: true
+
+- name: Failure when sops is missing
+  ansible.builtin.fail:
+    msg: "sops is not installed. Please install sops manually as described in README.md before running this playbook"
+  when: is_sops_installed.rc != 0
+
+- name: Decrypt secret values in console
+  environment:
+    SOPS_AGE_KEY: "{{ hostvars['console']['age_key'] }}"
+  ansible.builtin.command: |
+    sops -d --output-type yaml {{ hostvars['console']['node']['config_path'] }}/secrets/secrets.yaml
+  changed_when: false
+  register: "decrypted_secrets"
+  run_once: true
+  no_log: true
+
+- name: Load decrypted secret vaules in console
+  ansible.builtin.set_fact:
+    "{{ item.key }}": "{{ item.value }}"
+  loop: "{{ decrypted_secrets.stdout | from_yaml | dict2items }}"
+  no_log: true
--- a/ansible/roles/console/tasks/node/set_ssh_client.yaml
+++ b/ansible/roles/console/tasks/node/set_ssh_client.yaml
@@ -0,0 +1,109 @@
+---
+- name: Create ssh id_console
+  ansible.builtin.copy:
+    content: "{{ hostvars['console']['ssh']['console']['key'] }}"
+    dest: "/etc/secrets/{{ node['uid'] }}/id_console"
+    owner: "{{ ansible_user }}"
+    group: "root"
+    mode: "0400"
+  become: true
+  no_log: true
+
+- name: Create ssh id_console.pub
+  ansible.builtin.copy:
+    content: "{{ hostvars['console']['ssh']['console']['pub'] }}"
+    dest: "/etc/secrets/{{ node['uid'] }}/id_console.pub"
+    owner: "{{ ansible_user }}"
+    group: "root"
+    mode: "0400"
+  become: true
+  no_log: true
+
+- name: Create ssh_known_hosts
+  become: true
+  ansible.builtin.copy:
+    content: |
+      @cert-authority *.ilnmors.internal {{ hostvars['console']['ssh']['ca']['pub'] }}
+    dest: "/etc/ssh/ssh_known_hosts"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  no_log: true
+
+- name: Check id_console-cert.pub
+  ansible.builtin.stat:
+    path: "/etc/secrets/{{ node['uid'] }}/id_console-cert.pub"
+  register: "is_signed_console_key"
+
+- name: Get current id_console-cert.pub allow users
+  ansible.builtin.shell: |
+    set -o pipefail
+    ssh-keygen -L -f /etc/secrets/{{ node['uid'] }}/id_console-cert.pub | \
+    sed -n '/Principals:/,/Critical Options:/p' | \
+    sed '1d;$d' | \
+    sed 's/^[[:space:]]*//'
+  when: is_signed_console_key.stat.exists
+  changed_when: false
+  register: "current_allow_users"
+  no_log: true
+
+- name: Set key informations
+  ansible.builtin.set_fact:
+    current_user_list: "{{ current_allow_users.stdout_lines }}"
+  when: is_signed_console_key.stat.exists
+  no_log: true
+
+- name: Compare key values between current information and defined information
+  ansible.builtin.set_fact:
+    is_certificate_info_different: true
+  when: (current_user_list | default([])) != (node['ssh_users'].split(',') | map('trim') | list)
+
+- name: Get SSH CA and signing
+  when: not is_signed_console_key.stat.exists or (is_certificate_info_different | default(false))
+  block:
+    - name: Get SSH CA
+      ansible.builtin.copy:
+        content: |
+          {{ hostvars['console']['ssh']['ca']['key'] }}
+        dest: "/run/user/{{ node['uid'] }}/local_ssh_ca_private_key"
+        owner: "console"
+        group: "svadmins"
+        mode: "0400"
+      no_log: true
+    - name: Sign on ssh console key (pub file)
+      ansible.builtin.command: |
+        ssh-keygen -s /run/user/{{ node['uid'] }}/local_ssh_ca_private_key \
+        -I "{{ node['name'] }}" \
+        -n "{{ node['ssh_users'] }}" \
+        /etc/secrets/{{ node['uid'] }}/id_console.pub
+      become: true
+      changed_when: not is_signed_console_key.stat.exists or (is_certificate_info_different | default(false))
+      no_log: true
+  always:
+    - name: Clean temporary files
+      ansible.builtin.file:
+        path: "/run/user/{{ node['uid'] }}/local_ssh_ca_private_key"
+        state: "absent"
+      no_log: true
+
+- name: Create .ssh directory
+  ansible.builtin.file:
+    path: "{{ node['home_path'] }}/.ssh"
+    state: "directory"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0700"
+
+- name: Create ssh config file
+  ansible.builtin.copy:
+    content: |
+      {% for host in groups['all'] if host != 'console' %}
+      Host {{ host }}
+        HostName {{ hostvars[host]['ansible_host'] }}
+        User {{ hostvars[host]['ansible_user'] }}
+        IdentityFile /etc/secrets/{{ node['uid'] }}/id_console
+      {% endfor %}
+    dest: "{{ node['home_path'] }}/.ssh/config"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600"
--- a/ansible/roles/console/tasks/services/set_chromium.yaml
+++ b/ansible/roles/console/tasks/services/set_chromium.yaml
@@ -0,0 +1,31 @@
+---
+- name: Check chromium installation
+  ansible.builtin.shell: |
+    command -v chromium
+  changed_when: false
+  failed_when: false
+  register: "is_chromium_installed"
+  ignore_errors: true
+
+- name: Check korean font installation
+  ansible.builtin.shell: |
+    fc-list | grep -i "nanum"
+  changed_when: false
+  failed_when: false
+  register: "is_font_installed"
+  ignore_errors: true
+
+- name: Install chromium
+  ansible.builtin.apt:
+    name: "chromium"
+    state: "present"
+  become: true
+  when: is_chromium_installed.rc != 0
+
+- name: Install font
+  ansible.builtin.apt:
+    name: "fonts-nanum"
+    state: "present"
+  become: true
+  when: is_font_installed.rc != 0
+  notify: "notification_update_font"
--- a/ansible/roles/console/tasks/services/set_cli_tools.yaml
+++ b/ansible/roles/console/tasks/services/set_cli_tools.yaml
@@ -0,0 +1,108 @@
+---
+- name: Gather system facts (hardware)
+  ansible.builtin.setup:
+    gather_subset:
+      - hardware
+  become: true
+
+- name: Check ansible installation
+  ansible.builtin.shell: |
+    command -v ansible
+  changed_when: false
+  failed_when: false
+  register: "is_ansible_installed"
+  ignore_errors: true
+
+- name: Upgrade ansible module
+  community.general.ansible_galaxy_install:
+    type: "collection"
+    name: "{{ item }}"
+    state: "latest"
+  loop:
+    - "ansible.posix"
+    - "community.libvirt"
+    - "community.general"
+    - "containers.podman"
+  when: is_ansible_installed.rc == 0
+
+- name: Download sops
+  ansible.builtin.get_url:
+    url: "https://github.com/getsops/sops/releases/download/v{{ version['packages']['sops'] }}/\
+      sops_{{ version['packages']['sops'] }}_{{ item }}.deb"
+    dest: "{{ node['data_path'] }}/bin/sops-{{ version['packages']['sops'] }}-{{ item }}.deb"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600"
+  loop:
+    - "amd64"
+    - "arm64"
+
+- name: Download step-cli
+  ansible.builtin.get_url:
+    url: "https://dl.smallstep.com/gh-release/cli/gh-release-header/v{{ version['packages']['step'] }}/\
+      step-cli_{{ version['packages']['step'] }}-1_{{ item }}.deb"
+    dest: "{{ node['data_path'] }}/bin/step-{{ version['packages']['step'] }}-{{ item }}.deb"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600"
+  loop:
+    - "amd64"
+    - "arm64"
+
+- name: Download kopia
+  ansible.builtin.get_url:
+    url: "https://github.com/kopia/kopia/releases/download/v{{ version['packages']['kopia'] }}/\
+      kopia_{{ version['packages']['kopia'] }}_linux_{{ item }}.deb"
+    dest: "{{ node['data_path'] }}/bin/kopia-{{ version['packages']['kopia'] }}-{{ item }}.deb"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600"
+  loop:
+    - "amd64"
+    - "arm64"
+
+- name: Download blocky
+  ansible.builtin.get_url:
+    url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
+      blocky_v{{ version['packages']['blocky'] }}_Linux_{{ item }}.tar.gz"
+    dest: "{{ node['data_path'] }}/bin/blocky-{{ version['packages']['blocky'] }}-{{ item }}.tar.gz"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600" # noqa: line-length
+  loop:
+    - "x86_64"
+    - "arm64"
+
+- name: Download alloy
+  ansible.builtin.get_url:
+    url: "https://github.com/grafana/alloy/releases/download/v{{ version['packages']['alloy'] }}/\
+      alloy-{{ version['packages']['alloy'] }}-1.{{ item }}.deb"
+    dest: "{{ node['data_path'] }}/bin/alloy-{{ version['packages']['alloy'] }}-{{ item }}.deb"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0600"
+  loop:
+    - "amd64"
+    - "arm64"
+
+- name: Apply cli tools (x86_64)
+  ansible.builtin.apt:
+    deb: "{{ node['data_path'] }}/bin/{{ item }}"
+    state: "present"
+  loop:
+    - "sops-{{ version['packages']['sops'] }}-amd64.deb"
+    - "step-{{ version['packages']['step'] }}-amd64.deb"
+    - "kopia-{{ version['packages']['kopia'] }}-amd64.deb"
+  become: true
+  when: ansible_facts['architecture'] == "x86_64"
+
+- name: Apply cli tools (aarch64)
+  ansible.builtin.apt:
+    deb: "{{ node['data_path'] }}/bin/{{ item }}"
+    state: "present"
+  loop:
+    - "sops-{{ version['packages']['sops'] }}-arm64.deb"
+    - "step-{{ version['packages']['step'] }}-arm64.deb"
+    - "kopia-{{ version['packages']['kopia'] }}-arm64.deb"
+  become: true
+  when: ansible_facts['architecture'] == "aarch64"