fixed deploy yaml for user deployment

2026-01-19 16:56:34 +01:00
parent 4e1f015a49
commit 7d8e6f2785
7 changed files with 59 additions and 1 deletions
--- a/infrastructure/ansible/deploy.yml
+++ b/infrastructure/ansible/deploy.yml
@@ -27,6 +27,7 @@
      stat:
        path: "{{ host_def_file_fqdn }}"
      delegate_to: localhost
+      become: false  # Kein sudo für lokale Datei-Operationen
      register: def_fqdn

    - name: "Warnung wenn unkonfiguriert"
@@ -44,6 +45,7 @@
        file: "{{ host_def_file_fqdn }}"
        name: host_config
      delegate_to: localhost
+      become: false  # Kein sudo für lokale Datei-Operationen

    - name: "Plan anzeigen"
      debug:
--- a/infrastructure/ansible/deploy_logic_push.yml
+++ b/infrastructure/ansible/deploy_logic_push.yml
@@ -6,6 +6,7 @@
  stat:
    path: "{{ apps_catalog_path }}/{{ app_item.name }}"
  delegate_to: localhost
+  become: false  # Kein sudo für lokale Datei-Operationen
  register: catalog_entry

 - name: "Fehler: App fehlt im Katalog"
@@ -30,6 +31,7 @@
  set_fact:
    vault_response: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}"
  delegate_to: localhost
+  become: false  # Kein sudo für Vault-Lookup
  when: app_item.has_secrets | default(false)
  ignore_errors: true

@@ -42,6 +44,7 @@
  set_fact:
    cf_response: "{{ lookup('community.hashi_vault.vault_kv2_get', 'infrastructure/cloudflare', engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}"
  delegate_to: localhost
+  become: false  # Kein sudo für Vault-Lookup
  when: app_item.name == 'traefik-edge'
  ignore_errors: true

@@ -97,6 +100,7 @@
    rsync_opts:
      - "--chmod=Du=rwx,Dgo=rx,Fu=rw,Fgo=r"  # directory_mode='0755', mode='0644'
  delegate_to: localhost  # rsync läuft von localhost (Source) zu remote (Destination)
+  become: false  # Kein sudo für rsync
  register: file_sync_result

 # 7. Docker Compose Deployment
--- a/infrastructure/ansible/group_vars/all/users.yml
+++ b/infrastructure/ansible/group_vars/all/users.yml
@@ -4,6 +4,11 @@ users_list:
    groups: [sudo, docker]
    ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDNhzTnunFTn0aUL9BLdUFCrNreNBC6LmB0Vn/K4Jnv nick@pc"
    shell: /bin/bash
+  - username: danny
+    state: present
+    groups: [sudo, docker]
+    ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW9Dgg1HwSUYZjGoJx1ikldn7xH3R4tiygoTXcT7nCX"
+    shell: /bin/bash

 #  - username: admin
 #    state: present
--- a/infrastructure/ansible/inventory.ini
+++ b/infrastructure/ansible/inventory.ini
@@ -3,6 +3,10 @@ vm-docker-apps-301.stabify.de ansible_host=10.100.30.11
 # vm-docker-traefik-302 entfernt (Traefik Edge läuft jetzt im k3s Cluster)
 # vm-docker-mailcow-300.stabify.de ansible_host=10.100.30.10

+[bastion_hosts]
+vm-bastion-900.stabify.de ansible_host=10.100.90.10
+vm-bastion-901.stabify.de ansible_host=10.100.90.11
+
 [k3s_masters]
 vm-k3s-master-400.stabify.de ansible_host=10.100.40.10
 vm-k3s-master-401.stabify.de ansible_host=10.100.40.11
--- a/infrastructure/ansible/k3s_deploy.yml
+++ b/infrastructure/ansible/k3s_deploy.yml
@@ -21,8 +21,8 @@
        token: "{{ lookup('env', 'VAULT_TOKEN') }}"
        ca_cert: "{{ lookup('env', 'VAULT_CACERT') | default(playbook_dir ~ '/../../vault-ca.crt') }}"
      register: vault_k3s_data
-      register: vault_k3s_data
      delegate_to: localhost
+      become: false  # Kein sudo für Vault-Zugriff auf localhost
      ignore_errors: true
      vars:
        ansible_connection: local
--- a/infrastructure/ansible/roles/users/tasks/main.yml
+++ b/infrastructure/ansible/roles/users/tasks/main.yml
@@ -16,14 +16,37 @@
  loop: "{{ users_list }}"
  when: item.state | default('present') == 'present'

+- name: "Stelle sicher, dass .ssh Verzeichnis existiert"
+  file:
+    path: "/home/{{ item.username }}/.ssh"
+    state: directory
+    owner: "{{ item.username }}"
+    group: "{{ item.username }}"
+    mode: '0700'
+  loop: "{{ users_list }}"
+  when: item.state | default('present') == 'present' and item.ssh_key is defined
+
 - name: "Setze SSH Authorized Keys"
  authorized_key:
    user: "{{ item.username }}"
    state: present
    key: "{{ item.ssh_key }}"
+    exclusive: false  # Fügt Key hinzu, ohne andere zu löschen
  loop: "{{ users_list }}"
  when: item.state | default('present') == 'present' and item.ssh_key is defined

+- name: "Konfiguriere sudo NOPASSWD für sudo-Gruppe"
+  lineinfile:
+    path: /etc/sudoers.d/sudo-group-nopasswd
+    line: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL"
+    state: present
+    create: true
+    mode: '0440'
+    validate: 'visudo -cf %s'
+  tags:
+    - sudo
+    - users
+
 - name: "Entferne Benutzer (falls state=absent)"
  user:
    name: "{{ item.username }}"
--- a/infrastructure/ansible/setup_longhorn_disks.yml
+++ b/infrastructure/ansible/setup_longhorn_disks.yml
@@ -3,6 +3,26 @@
  hosts: k3s_masters
  become: yes
  tasks:
+    - name: Disable multipathd service (Longhorn requirement)
+      systemd:
+        name: multipathd
+        state: stopped
+        enabled: no
+      ignore_errors: true
+
+    - name: Ensure dm_crypt kernel module is loaded (for Longhorn encryption support)
+      modprobe:
+        name: dm_crypt
+        state: present
+      ignore_errors: true
+
+    - name: Ensure dm_crypt module is loaded on boot
+      copy:
+        content: "dm_crypt\n"
+        dest: /etc/modules-load.d/dm_crypt.conf
+        mode: '0644'
+      ignore_errors: true
+
    - name: Install required packages for Longhorn (iSCSI, NFS)
      apt:
        name: