From 70c90a18e2e25cfc5d1a9f5c2412b40433ac88d9 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 25 Apr 2021 19:37:45 +0900 Subject: [PATCH 1/6] Ensure to satisfy the prerequisites. --- cookbooks/docker/files/etc/docker/daemon.json | 3 +++ cookbooks/docker/install.rb | 8 +++++- cookbooks/docker/setup.rb | 27 +++++++++---------- 3 files changed, 23 insertions(+), 15 deletions(-) create mode 100644 cookbooks/docker/files/etc/docker/daemon.json diff --git a/cookbooks/docker/files/etc/docker/daemon.json b/cookbooks/docker/files/etc/docker/daemon.json new file mode 100644 index 0000000..59e6247 --- /dev/null +++ b/cookbooks/docker/files/etc/docker/daemon.json @@ -0,0 +1,3 @@ +{ + "insecure-registries" : ["reg.kazu634.com"] +} diff --git a/cookbooks/docker/install.rb b/cookbooks/docker/install.rb index 1425af5..050e460 100644 --- a/cookbooks/docker/install.rb +++ b/cookbooks/docker/install.rb @@ -19,4 +19,10 @@ execute 'apt-get update' do not_if 'which docker' end -package 'docker-ce' +%w(docker-ce docker-ce-cli containerd.io).each do |p| + package p +end + +service 'docker' do + action :nothing +end diff --git a/cookbooks/docker/setup.rb b/cookbooks/docker/setup.rb index 7745fb8..422708a 100644 --- a/cookbooks/docker/setup.rb +++ b/cookbooks/docker/setup.rb @@ -1,7 +1,16 @@ +# Ignore the certificate +remote_file '/etc/docker/daemon.json' do + owner 'root' + group 'root' + mode '0600' + + notifies :restart, 'service[docker]' +end + # install `cifs-utils` package 'cifs-utils' -%w( /mnt/backup /var/spool/apt-mirror ).each do |d| +%w( /mnt/shared /var/spool/apt-mirror ).each do |d| directory d do owner 'root' group 'root' @@ -13,23 +22,13 @@ file '/etc/fstab' do action :edit block do |content| - content << "//192.168.10.200/Shared/AppData /mnt/backup cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" + content << "//192.168.10.200/Shared/AppData /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" end - not_if 'grep backup /etc/fstab' + not_if 'grep shared /etc/fstab' end -file '/etc/fstab' do - action :edit - - block do |content| - content << "//192.168.10.200/Shared/PXEBoot/www/ubuntu/apt-mirror /var/spool/apt-mirror cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" - end - - not_if 'grep apt-mirror /etc/fstab' -end - -execute 'mount -a' +execute 'mount -a || true' # Deploy the cron.d file: remote_file '/etc/cron.d/docker-housekeep' do From 010a53a58b8239732be3239926f8e19d445a5467 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Fri, 30 Apr 2021 14:50:09 +0900 Subject: [PATCH 2/6] Deploy `nomad`. --- cookbooks/consul/install.rb | 2 +- .../{consul.list => hashicorp.list} | 0 cookbooks/nomad/attributes.rb | 9 +++ cookbooks/nomad/default.rb | 7 ++ cookbooks/nomad/files/etc/nomad.d/client.hcl | 13 ++++ cookbooks/nomad/files/etc/nomad.d/datadir.hcl | 4 ++ .../files/etc/nomad.d/docker-registry.hcl | 6 ++ cookbooks/nomad/files/etc/nomad.d/server.hcl | 4 ++ .../nomad/files/etc/sysctl.d/90-nomad.conf | 3 + cookbooks/nomad/install.rb | 20 ++++++ cookbooks/nomad/setup.rb | 65 +++++++++++++++++++ cookbooks/nomad/shared_dir.rb | 19 ++++++ .../etc/apt/sources.list.d/hashicorp.list | 1 + 13 files changed, 152 insertions(+), 1 deletion(-) rename cookbooks/consul/templates/etc/apt/sources.list.d/{consul.list => hashicorp.list} (100%) create mode 100644 cookbooks/nomad/attributes.rb create mode 100644 cookbooks/nomad/default.rb create mode 100644 cookbooks/nomad/files/etc/nomad.d/client.hcl create mode 100644 cookbooks/nomad/files/etc/nomad.d/datadir.hcl create mode 100644 cookbooks/nomad/files/etc/nomad.d/docker-registry.hcl create mode 100644 cookbooks/nomad/files/etc/nomad.d/server.hcl create mode 100644 cookbooks/nomad/files/etc/sysctl.d/90-nomad.conf create mode 100644 cookbooks/nomad/install.rb create mode 100644 cookbooks/nomad/setup.rb create mode 100644 cookbooks/nomad/shared_dir.rb create mode 100644 cookbooks/nomad/templates/etc/apt/sources.list.d/hashicorp.list diff --git a/cookbooks/consul/install.rb b/cookbooks/consul/install.rb index 2c834e4..6e8adec 100644 --- a/cookbooks/consul/install.rb +++ b/cookbooks/consul/install.rb @@ -10,7 +10,7 @@ end DIST = run_command('lsb_release -cs').stdout.chomp # Deploy the `apt` sources: -template '/etc/apt/sources.list.d/consul.list' do +template '/etc/apt/sources.list.d/hashicorp.list' do action :create variables(distribution: DIST) end diff --git a/cookbooks/consul/templates/etc/apt/sources.list.d/consul.list b/cookbooks/consul/templates/etc/apt/sources.list.d/hashicorp.list similarity index 100% rename from cookbooks/consul/templates/etc/apt/sources.list.d/consul.list rename to cookbooks/consul/templates/etc/apt/sources.list.d/hashicorp.list diff --git a/cookbooks/nomad/attributes.rb b/cookbooks/nomad/attributes.rb new file mode 100644 index 0000000..6e0a6ea --- /dev/null +++ b/cookbooks/nomad/attributes.rb @@ -0,0 +1,9 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +node.reverse_merge!({ + 'nomad' => { + 'manager' => false, + 'client' => true + } +}) diff --git a/cookbooks/nomad/default.rb b/cookbooks/nomad/default.rb new file mode 100644 index 0000000..6a73243 --- /dev/null +++ b/cookbooks/nomad/default.rb @@ -0,0 +1,7 @@ +include_recipe './attributes.rb' + +include_recipe './install.rb' + +include_recipe './setup.rb' + +include_recipe './shared_dir.rb' diff --git a/cookbooks/nomad/files/etc/nomad.d/client.hcl b/cookbooks/nomad/files/etc/nomad.d/client.hcl new file mode 100644 index 0000000..2bd01ae --- /dev/null +++ b/cookbooks/nomad/files/etc/nomad.d/client.hcl @@ -0,0 +1,13 @@ +# /etc/nomad.d/server.hcl + +client { + enabled = true +} + +plugin "docker" { + config { + volumes { + enabled = true + } + } +} diff --git a/cookbooks/nomad/files/etc/nomad.d/datadir.hcl b/cookbooks/nomad/files/etc/nomad.d/datadir.hcl new file mode 100644 index 0000000..6d9a396 --- /dev/null +++ b/cookbooks/nomad/files/etc/nomad.d/datadir.hcl @@ -0,0 +1,4 @@ +# /etc/nomad.d/server.hcl + +# data_dir tends to be environment specific. +data_dir = "/opt/nomad/data/" diff --git a/cookbooks/nomad/files/etc/nomad.d/docker-registry.hcl b/cookbooks/nomad/files/etc/nomad.d/docker-registry.hcl new file mode 100644 index 0000000..d75173c --- /dev/null +++ b/cookbooks/nomad/files/etc/nomad.d/docker-registry.hcl @@ -0,0 +1,6 @@ +client { + host_volume "docker-registry" { + path = "/mnt/shared/Docker-registry" + read_only = false + } +} diff --git a/cookbooks/nomad/files/etc/nomad.d/server.hcl b/cookbooks/nomad/files/etc/nomad.d/server.hcl new file mode 100644 index 0000000..385e208 --- /dev/null +++ b/cookbooks/nomad/files/etc/nomad.d/server.hcl @@ -0,0 +1,4 @@ +server { + enabled = true + bootstrap_expect = 3 +} diff --git a/cookbooks/nomad/files/etc/sysctl.d/90-nomad.conf b/cookbooks/nomad/files/etc/sysctl.d/90-nomad.conf new file mode 100644 index 0000000..d0ce3b4 --- /dev/null +++ b/cookbooks/nomad/files/etc/sysctl.d/90-nomad.conf @@ -0,0 +1,3 @@ +net.bridge.bridge-nf-call-arptables = 1 +net.bridge.bridge-nf-call-ip6tables = 1 +net.bridge.bridge-nf-call-iptables = 1 diff --git a/cookbooks/nomad/install.rb b/cookbooks/nomad/install.rb new file mode 100644 index 0000000..74adaea --- /dev/null +++ b/cookbooks/nomad/install.rb @@ -0,0 +1,20 @@ +# Install `Consul`: +KEYSRV = "https://apt.releases.hashicorp.com/gpg" +ID = "A3219F7B" + +execute "apt-key adv --keyserver #{KEYSRV} --recv-keys #{ID}" do + not_if 'apt-key list | grep HashiCorp' +end + +# Retrieve the Ubuntu code: +DIST = run_command('lsb_release -cs').stdout.chomp + +# Deploy the `apt` sources: +template '/etc/apt/sources.list.d/hashicorp.list' do + action :create + variables(distribution: DIST) +end + +execute 'apt update' + +package 'nomad' diff --git a/cookbooks/nomad/setup.rb b/cookbooks/nomad/setup.rb new file mode 100644 index 0000000..f03b6ec --- /dev/null +++ b/cookbooks/nomad/setup.rb @@ -0,0 +1,65 @@ +# Kernel parameters: +remote_file '/etc/sysctl.d/90-nomad.conf' do + owner 'root' + group 'root' + mode '0644' +end + +# nomad configuration files: +file '/etc/nomad.d/nomad.hcl' do + action :delete +end + +remote_file '/etc/nomad.d/datadir.hcl' do + owner 'nomad' + group 'nomad' + mode '664' + + notifies :restart, 'service[nomad]' +end + +if node['nomad']['manager'] + remote_file '/etc/nomad.d/server.hcl' do + owner 'nomad' + group 'nomad' + mode '664' + + notifies :restart, 'service[nomad]' + end +end + +if node['nomad']['client'] + %w( /etc/nomad.d/client.hcl /etc/nomad.d/docker-registry.hcl ).each do |conf| + remote_file conf do + owner 'nomad' + group 'nomad' + mode '664' + + notifies :restart, 'service[nomad]' + end + end +end + +# Create directory: +directory '/opt/nomad/data/' do + owner 'nomad' + group 'nomad' + mode '0755' +end + +# iptables settings here: +%w( 80/tcp 4646/tcp 4647/tcp 4648/tcp 8081/tcp 20000:32000/tcp ).each do |port| + execute "ufw allow #{port}" do + user 'root' + + not_if "LANG=c ufw status | grep #{port}" + + notifies :run, 'execute[ufw reload-or-enable]' + end +end + +# Enable and start nomad: +service 'nomad' do + action [:enable, :start] +end + diff --git a/cookbooks/nomad/shared_dir.rb b/cookbooks/nomad/shared_dir.rb new file mode 100644 index 0000000..c40e4d1 --- /dev/null +++ b/cookbooks/nomad/shared_dir.rb @@ -0,0 +1,19 @@ +%w( /mnt/shared ).each do |d| + directory d do + owner 'root' + group 'root' + end +end + +# Add the fstab entry: +file '/etc/fstab' do + action :edit + + block do |content| + content << "//192.168.10.200/Shared/AppData /mnt/shared cifs username=admin,password=Holiday88,uid=root,gid=root,file_mode=0777,dir_mode=0777,vers=3.0,_netdev 0 0\n" + end + + not_if 'grep shared /etc/fstab' +end + +execute 'mount -a || true' diff --git a/cookbooks/nomad/templates/etc/apt/sources.list.d/hashicorp.list b/cookbooks/nomad/templates/etc/apt/sources.list.d/hashicorp.list new file mode 100644 index 0000000..16f9f11 --- /dev/null +++ b/cookbooks/nomad/templates/etc/apt/sources.list.d/hashicorp.list @@ -0,0 +1 @@ +deb [arch=amd64] https://apt.releases.hashicorp.com <%= @distribution %> main From 2eed57822c02576f4fd1107e19ee941ddf3ff6f7 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sat, 1 May 2021 18:13:25 +0900 Subject: [PATCH 3/6] Deploy `consul-template`. --- cookbooks/consul-template/attributes.rb | 13 +++++++ cookbooks/consul-template/default.rb | 7 ++++ .../files/etc/default/consul-template | 1 + .../etc/rsyslog.d/30-consul-template.conf | 7 ++++ .../systemd/system/consul-template.service | 13 +++++++ cookbooks/consul-template/install.rb | 34 ++++++++++++++++ cookbooks/consul-template/setup.rb | 39 +++++++++++++++++++ 7 files changed, 114 insertions(+) create mode 100644 cookbooks/consul-template/attributes.rb create mode 100644 cookbooks/consul-template/default.rb create mode 100644 cookbooks/consul-template/files/etc/default/consul-template create mode 100644 cookbooks/consul-template/files/etc/rsyslog.d/30-consul-template.conf create mode 100644 cookbooks/consul-template/files/etc/systemd/system/consul-template.service create mode 100644 cookbooks/consul-template/install.rb create mode 100644 cookbooks/consul-template/setup.rb diff --git a/cookbooks/consul-template/attributes.rb b/cookbooks/consul-template/attributes.rb new file mode 100644 index 0000000..cb6f58c --- /dev/null +++ b/cookbooks/consul-template/attributes.rb @@ -0,0 +1,13 @@ +# ------------------------------------------- +# Specifying the default settings: +# ------------------------------------------- +node.reverse_merge!({ + 'consulTemplate' => { + 'baseUrl' => 'https://releases.hashicorp.com/consul-template/', + 'version' => '0.25.2', + 'zipPrefix' => 'consul-template_', + 'zipPostfix' => '_linux_amd64.zip', + 'storage' => '/opt/consul-template/consul-template', + 'location' => '/usr/local/bin/consul-template' + }, +}) diff --git a/cookbooks/consul-template/default.rb b/cookbooks/consul-template/default.rb new file mode 100644 index 0000000..f0eb864 --- /dev/null +++ b/cookbooks/consul-template/default.rb @@ -0,0 +1,7 @@ +# Loading the attributes: +include_recipe './attributes.rb' + +# Install loki here: +include_recipe './install.rb' +include_recipe './setup.rb' + diff --git a/cookbooks/consul-template/files/etc/default/consul-template b/cookbooks/consul-template/files/etc/default/consul-template new file mode 100644 index 0000000..769569a --- /dev/null +++ b/cookbooks/consul-template/files/etc/default/consul-template @@ -0,0 +1 @@ +OPTIONS="-syslog -syslog-name=consul-template" diff --git a/cookbooks/consul-template/files/etc/rsyslog.d/30-consul-template.conf b/cookbooks/consul-template/files/etc/rsyslog.d/30-consul-template.conf new file mode 100644 index 0000000..1a4c6cc --- /dev/null +++ b/cookbooks/consul-template/files/etc/rsyslog.d/30-consul-template.conf @@ -0,0 +1,7 @@ +# Log kernel generated promtail log messages to file +:syslogtag,contains,"consul-template" /var/log/consul-template.log + +# Uncomment the following to stop logging anything that matches the last rule. +# Doing this will stop logging kernel generated UFW log messages to the file +# normally containing kern.* messages (eg, /var/log/kern.log) +& stop diff --git a/cookbooks/consul-template/files/etc/systemd/system/consul-template.service b/cookbooks/consul-template/files/etc/systemd/system/consul-template.service new file mode 100644 index 0000000..1acdc36 --- /dev/null +++ b/cookbooks/consul-template/files/etc/systemd/system/consul-template.service @@ -0,0 +1,13 @@ +[Unit] +Description=consul-template +Requires=network-online.target +After=network-online.target consul.service + +[Service] +EnvironmentFile=-/etc/default/consul-template +Restart=on-failure +ExecStart=/usr/local/bin/consul-template $OPTIONS -config=/etc/consul-template.d/conf/ +KillSignal=SIGINT + +[Install] +WantedBy=multi-user.target diff --git a/cookbooks/consul-template/install.rb b/cookbooks/consul-template/install.rb new file mode 100644 index 0000000..7c0b01a --- /dev/null +++ b/cookbooks/consul-template/install.rb @@ -0,0 +1,34 @@ +consulTemplate_zip = "#{node['consulTemplate']['zipPrefix']}#{node['consulTemplate']['version']}#{node['consulTemplate']['zipPostfix']}" +consulTemplate_url = "#{node['consulTemplate']['baseUrl']}#{node['consulTemplate']['version']}/#{consulTemplate_zip}" + +# バージョン確認して、アップデート必要かどうか確認 +result = run_command('which consul-template', error: false) +if result.exit_status != 0 + + # Download: + TMP = "/tmp/#{consulTemplate_zip}" + + execute "wget #{consulTemplate_url} -O #{TMP}" + + directory '/opt/consul-template' do + owner 'root' + group 'root' + mode '0755' + end + + execute "unzip #{TMP} -d /opt/consul-template/" do + not_if 'test -e /opt/consul-template/consul-template' + end + + # Change Owner and Permissions: + file "#{node['consulTemplate']['storage']}" do + owner 'root' + group 'root' + mode '755' + end + + # Create Link + link "#{node['consulTemplate']['location']}" do + to "#{node['consulTemplate']['storage']}" + end +end diff --git a/cookbooks/consul-template/setup.rb b/cookbooks/consul-template/setup.rb new file mode 100644 index 0000000..25d3460 --- /dev/null +++ b/cookbooks/consul-template/setup.rb @@ -0,0 +1,39 @@ +# Create `/var/log/vector`: +%w( /etc/consul-template.d/conf /etc/consul-template.d/templates ).each do |d| + directory d do + owner 'root' + group 'root' + mode '0755' + end +end + +%w( /etc/systemd/system/consul-template.service /etc/default/consul-template).each do |conf| + remote_file conf do + owner 'root' + group 'root' + mode '0644' + + notifies :run, 'execute[systemctl daemon-reload]', :immediately + end +end + +execute 'systemctl daemon-reload' do + action :nothing +end + +service 'consul-template' do + action [:enable, :restart] +end + +remote_file '/etc/rsyslog.d/30-consul-template.conf' do + owner 'root' + group 'root' + mode '0644' + + notifies :restart, 'service[rsyslog]', :immediately +end + +service 'rsyslog' do + action [ :nothing ] +end + From e6c531d06918f7fb102865221023f6bf1274ca33 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sat, 1 May 2021 18:12:09 +0900 Subject: [PATCH 4/6] Add consul-template to the base role. --- roles/base.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/base.rb b/roles/base.rb index 74e1874..acd267d 100644 --- a/roles/base.rb +++ b/roles/base.rb @@ -2,6 +2,7 @@ include_recipe '../cookbooks/base/default.rb' include_recipe '../cookbooks/kazu634/default.rb' include_recipe '../cookbooks/supervisor/default.rb' include_recipe '../cookbooks/consul/default.rb' +include_recipe '../cookbooks/consul-template/default.rb' include_recipe '../cookbooks/fzf/default.rb' include_recipe '../cookbooks/promtail/default.rb' include_recipe '../cookbooks/vector/default.rb' From f55682e5c37f1c66fad0fffb434af44a1d073545 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sat, 1 May 2021 18:22:31 +0900 Subject: [PATCH 5/6] Modify `nginx` deploy settings. --- cookbooks/nginx/default.rb | 28 ++++++++++++++++++++++++++++ cookbooks/nginx/setup.rb | 34 ---------------------------------- 2 files changed, 28 insertions(+), 34 deletions(-) diff --git a/cookbooks/nginx/default.rb b/cookbooks/nginx/default.rb index fb4e230..07d52f6 100644 --- a/cookbooks/nginx/default.rb +++ b/cookbooks/nginx/default.rb @@ -4,6 +4,34 @@ include_recipe './attributes.rb' # Kernel Parameters: include_recipe './kernel.rb' +# Create the necessary directories: +%w( body fastcgi proxy scgi uwsgi ).each do |d| + directory "/var/lib/nginx/#{d}" do + owner 'www-data' + group 'root' + mode '755' + end +end + +%w( /etc/nginx/sites-enabled /etc/nginx/stream-enabled ).each do |d| + directory d do + owner 'root' + group 'root' + mode '0755' + end +end + +# Deploy the nginx configuration files: +%w(nginx.conf basic-auth).each do |f| + remote_file "/etc/nginx/#{f}" do + owner 'root' + group 'root' + mode '644' + + notifies :reload, 'service[nginx]' + end +end + # Prerequisites for Building nginx: include_recipe './webadm.rb' diff --git a/cookbooks/nginx/setup.rb b/cookbooks/nginx/setup.rb index bbe449a..0ef7337 100644 --- a/cookbooks/nginx/setup.rb +++ b/cookbooks/nginx/setup.rb @@ -1,37 +1,3 @@ -# Create the necessary directories: -%w( body fastcgi proxy scgi uwsgi ).each do |d| - directory "/var/lib/nginx/#{d}" do - owner 'www-data' - group 'root' - mode '755' - end -end - -link '/etc/nginx/sites-enabled' do - to '/home/webadm/repo/nginx-config/sites-available' - user 'root' - - notifies :reload, 'service[nginx]' -end - -link '/etc/nginx/stream-enabled' do - to '/home/webadm/repo/nginx-config/stream-available' - user 'root' - - notifies :reload, 'service[nginx]' -end - -# Deploy the nginx configuration files: -%w(nginx.conf basic-auth).each do |f| - remote_file "/etc/nginx/#{f}" do - owner 'root' - group 'root' - mode '644' - - notifies :reload, 'service[nginx]' - end -end - # Log rotation setting: remote_file '/etc/logrotate.d/nginx' do owner 'root' From 1701922c91f16304527a73cb2acd910d8fa8cf99 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sat, 1 May 2021 21:29:30 +0900 Subject: [PATCH 6/6] Execute deploy scripts for `nginx`. --- cookbooks/nginx/webadm.rb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/cookbooks/nginx/webadm.rb b/cookbooks/nginx/webadm.rb index f1e6ae4..aab4f1e 100644 --- a/cookbooks/nginx/webadm.rb +++ b/cookbooks/nginx/webadm.rb @@ -46,7 +46,17 @@ end git '/home/webadm/repo/nginx-config' do user 'webadm' repository 'https://gitea.kazu634.com/kazu634/nginx-config.git' - - not_if 'test -e /home/webadm/repo/nginx-config' end +execute '/home/webadm/repo/nginx-config/deploy.sh' do + user 'root' + cwd '/home/webadm/repo/nginx-config/' +end + +service 'consul-template' do + action :restart +end + +service 'nginx' do + action :restart +end