kazu634
/
itamae
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: kazu634:450426b12af2079bf924502881d89dc542d866b7
Branches Tags
kazu634:main
kazu634:ubuntu2404
kazu634:grafana-deploy-change
...
compare: kazu634:248a624f22e8b6c2f6d91dbe2425b0e111acc0bf
Branches Tags
kazu634:ubuntu2404
kazu634:grafana-deploy-change
kazu634:main

10 Commits
450426b12a ... 248a624f22

Author SHA1 Message Date
Kazuhiro MUSASHI 248a624f22 Install `Docker`, before setting up `Nomad`. 2024-07-15 21:40:05 +09:00
Kazuhiro MUSASHI df0bccd61b Add `Consul` token setting for registering `Vault` 2024-07-15 21:39:32 +09:00
Kazuhiro MUSASHI a955001416 Add firewall settings for `Vault`. 2024-07-15 21:39:00 +09:00
Kazuhiro MUSASHI e21fa08291 Deploy `/etc/vault.d/vault.env` to enable AWS KMS. 2024-07-15 21:28:07 +09:00
Kazuhiro MUSASHI 44ca217183 Reload the config after updating the config file. 2024-07-15 21:27:23 +09:00
Kazuhiro MUSASHI 7d65474067 Change mode of `/etc/vault.d/vault.hcl`. 2024-07-15 18:49:42 +09:00
Kazuhiro MUSASHI d11206e3c2 Change `Vault` IP addresses. 2024-07-15 18:48:40 +09:00
Kazuhiro MUSASHI 44325ace47 Change `Vault` tokens for enabling Consul Auto Config. 2024-07-15 18:47:02 +09:00
Kazuhiro MUSASHI 977648f95e Change `consul` server IP addresses. 2024-07-15 18:45:25 +09:00
Kazuhiro MUSASHI 1998a11c29 Disable `Ubuntu Pro` announcement. 2024-07-01 15:23:03 +09:00
10 changed files with 61 additions and 11 deletions
Show Stats Expand all files Collapse all files

3
cookbooks/base/default.rb
View File

@ -70,6 +70,9 @@ include_recipe './starship.rb'
# Install cloudflared command: # Install cloudflared command:
include_recipe './cloudflared.rb' include_recipe './cloudflared.rb'
# Disable Ubuntu Pro
include_recipe './ubuntupro.rb'
# recipes for Ubuntu 20.04 and later # recipes for Ubuntu 20.04 and later
case node['platform_version'] case node['platform_version']
when "20.04", "22.04", "24.04" when "20.04", "22.04", "24.04"

11
cookbooks/base/ubuntupro.rb Normal file
View File

@ -0,0 +1,11 @@
case node['platform_version']
when "24.04"
directory "/etc/apt/apt.conf.d/bk/"
%w( 20apt-esm-hook.conf ).each do |conf|
execute "mv /etc/apt/apt.conf.d/#{conf} /etc/apt/apt.conf.d/bk/#{conf}"
execute "touch /etc/apt/apt.conf.d/#{conf}"
end
execute 'pro config set apt_news=false'
end

2
cookbooks/consul/attributes.rb
View File

@ -19,7 +19,7 @@ dns = run_command(cmd).stdout.chomp
node.reverse_merge!({ node.reverse_merge!({
'consul' => { 'consul' => {
'manager' => false, 'manager' => false,
'manager_hosts' => '"192.168.10.101", "192.168.10.251", "192.168.10.252", "192.168.10.253"', 'manager_hosts' => '"192.168.10.102", "192.168.10.251", "192.168.10.252", "192.168.10.253"',
'ipaddr' => ipaddr, 'ipaddr' => ipaddr,
'dns' => dns, 'dns' => dns,
'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=', 'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=',

2
cookbooks/consul/files/etc/vault.d/tokens/roleid
View File

@ -1 +1 @@
md5:3589fac78cfe7ae33551d6478f20e2cd:salt:229-185-78-119-188-9-161-204:aes-256-cfb:aqhITLoIN7UEBZRyMeO+xwAqfZrz7VXUVcre+Fip/RhqzfWZaQ== md5:1ae55d337df5f9dd4fffc187a183b0b2:salt:205-89-236-103-190-38-95-67:aes-256-cfb:Ma2d+BQ24dejEcakleRob9FbO/uXSyymKm3hMllr4BU89COZ6g==

2
cookbooks/consul/files/etc/vault.d/tokens/secretid
View File

@ -1 +1 @@
md5:98b157199b9f17446254894788740c7d:salt:233-189-165-36-170-54-151-47:aes-256-cfb:gB1Ml+Bg2iNwwd76Qn7C8+mVlzKT9Ndb0W3R0g2PTQyF7ejNJg== md5:c5e23c82c19bfdbd585c22c2244d48c4:salt:159-101-196-196-176-220-40-108:aes-256-cfb:ddjwjLHE5NsLCVioXEv9oaJoGtpJ+P6FvVs6ecKK26eaI49ElQ==

4
cookbooks/nomad/default.rb
View File

@ -2,6 +2,10 @@ include_recipe './attributes.rb'
include_recipe './install.rb' include_recipe './install.rb'
if node['nomad']['client']
include_recipe '../docker/default.rb'
end
if node['nomad']['manager'] || node['nomad']['client'] if node['nomad']['manager'] || node['nomad']['client']
include_recipe './setup.rb' include_recipe './setup.rb'
include_recipe './csi.rb' include_recipe './csi.rb'

2
cookbooks/vault/attributes.rb
View File

@ -21,6 +21,6 @@ node.reverse_merge!({
'manager' => false, 'manager' => false,
'ipaddr' => ipaddr, 'ipaddr' => ipaddr,
'hostname' => hostname, 'hostname' => hostname,
'ips' => ['192.168.10.141', '192.168.10.142', '192.168.10.143'], 'ips' => ['192.168.10.140', '192.168.10.141', '192.168.10.142'],
} }
}) })

5
cookbooks/vault/files/etc/vault.d/vault.env Normal file
View File

@ -0,0 +1,5 @@
md5:cb234b386c1601dc3c6bf1072c00a441:salt:123-90-76-221-9-96-59-101:aes-256-cfb:SfQ2qhmH163jZgh9yequT6JyUCNfaCYW1Ch6BDE6Lid8fj6xcwWYLLTycXhs
o0y3Wvf3lgt3rHQy6J2tPuSahbtMcZwcBUp6jblNahBJW5yw1pUR/cLNXruy
J3/LLbA2BPBb+l2TAzVfUTNHKdPY7Z1hZ2hcSgf7uK6cCoSHrPGF1jePQx7+
Ys1sJLsg0M7jUXUiHrNZGdf5ShR0oeyQ+1tFYu9bMVn/EnJHoTtrL6Zbrb8b
14YmdtqwhuY46L+wTE2nmWqBUdCYCnlta8RHzgnXxWQRLnnEZ356oW+WIQ==

29
cookbooks/vault/setup.rb
View File

@ -2,9 +2,21 @@
template '/etc/vault.d/vault.hcl' do template '/etc/vault.d/vault.hcl' do
owner 'vault' owner 'vault'
group 'vault' group 'vault'
mode '644' mode '600'
variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips']) variables(HOSTNAME: node['vault']['hostname'], IPADDR: node['vault']['ipaddr'], IPS: node['vault']['ips'])
notifies :restart, 'service[vault]'
end
encrypted_remote_file '/etc/vault.d/vault.env' do
owner 'vault'
group 'vault'
mode '600'
source 'files/etc/vault.d/vault.env'
password ENV['ITAMAE_PASSWORD']
notifies :restart, 'service[vault]'
end end
directory '/etc/vault.d/policies' do directory '/etc/vault.d/policies' do
@ -26,3 +38,18 @@ remote_file '/etc/logrotate.d/vault' do
group 'root' group 'root'
mode '644' mode '644'
end end
%w(8200 8201).each do |port|
execute "ufw allow #{port}" do
user 'root'
not_if "LANG=c ufw status | grep #{port}"
notifies :run, 'execute[ufw reload-or-enable]'
end
end
service 'vault' do
action [:enable, :start]
end

12
cookbooks/vault/templates/etc/vault.d/vault.hcl
View File

@ -1,15 +1,15 @@
ui = true ui = true
disable_mlock = true disable_mlock = true
# service_registration "consul" { service_registration "consul" {
# address = "127.0.0.1:8500" address = "127.0.0.1:8500"
# token = "19149728-ce09-2a72-26b6-d2fc3aeecdd8" token = "63c7eb0b-3e39-95e8-9c70-6e42885cb8f8"
# } }
storage "raft" { storage "raft" {
path = "/opt/vault/data" path = "/opt/vault/data"
node_id = "<%= @HOSTNAME %>" node_id = "<%= @HOSTNAME %>"
<% @IPS.each do |ip| %> <% @IPS.each do |ip| %>
retry_join { retry_join {
leader_api_addr = "http://<%= ip %>:8200" leader_api_addr = "http://<%= ip %>:8200"
@ -18,7 +18,7 @@ storage "raft" {
} }
api_addr = "http://<%= @IPADDR %>:8200" api_addr = "http://<%= @IPADDR %>:8200"
cluster_addr = "http://<%= @IPADDR %>::8201" cluster_addr = "http://<%= @IPADDR %>:8201"
# HTTPS listener # HTTPS listener
listener "tcp" { listener "tcp" {