diff --git a/infrastructure/ansible/deploy.yml b/infrastructure/ansible/deploy.yml index 1823f9e..c39eaf1 100644 --- a/infrastructure/ansible/deploy.yml +++ b/infrastructure/ansible/deploy.yml @@ -27,6 +27,7 @@ stat: path: "{{ host_def_file_fqdn }}" delegate_to: localhost + become: false # Kein sudo für lokale Datei-Operationen register: def_fqdn - name: "Warnung wenn unkonfiguriert" @@ -44,6 +45,7 @@ file: "{{ host_def_file_fqdn }}" name: host_config delegate_to: localhost + become: false # Kein sudo für lokale Datei-Operationen - name: "Plan anzeigen" debug: diff --git a/infrastructure/ansible/deploy_logic_push.yml b/infrastructure/ansible/deploy_logic_push.yml index 9aa4846..e9d5705 100644 --- a/infrastructure/ansible/deploy_logic_push.yml +++ b/infrastructure/ansible/deploy_logic_push.yml @@ -6,6 +6,7 @@ stat: path: "{{ apps_catalog_path }}/{{ app_item.name }}" delegate_to: localhost + become: false # Kein sudo für lokale Datei-Operationen register: catalog_entry - name: "Fehler: App fehlt im Katalog" @@ -30,6 +31,7 @@ set_fact: vault_response: "{{ lookup('community.hashi_vault.vault_kv2_get', 'apps/' + app_item.name, engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}" delegate_to: localhost + become: false # Kein sudo für Vault-Lookup when: app_item.has_secrets | default(false) ignore_errors: true @@ -42,6 +44,7 @@ set_fact: cf_response: "{{ lookup('community.hashi_vault.vault_kv2_get', 'infrastructure/cloudflare', engine_mount_point='secret', url=lookup('env', 'VAULT_ADDR') | default('https://10.100.30.11:8200'), token=(vault_token | default(lookup('env', 'VAULT_TOKEN'))), validate_certs=false) | default({}) }}" delegate_to: localhost + become: false # Kein sudo für Vault-Lookup when: app_item.name == 'traefik-edge' ignore_errors: true @@ -97,6 +100,7 @@ rsync_opts: - "--chmod=Du=rwx,Dgo=rx,Fu=rw,Fgo=r" # directory_mode='0755', mode='0644' delegate_to: localhost # rsync läuft von localhost (Source) zu remote (Destination) + become: false # Kein sudo für rsync register: file_sync_result # 7. Docker Compose Deployment diff --git a/infrastructure/ansible/group_vars/all/users.yml b/infrastructure/ansible/group_vars/all/users.yml index 4e054d2..6ffd852 100644 --- a/infrastructure/ansible/group_vars/all/users.yml +++ b/infrastructure/ansible/group_vars/all/users.yml @@ -4,6 +4,11 @@ users_list: groups: [sudo, docker] ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMDNhzTnunFTn0aUL9BLdUFCrNreNBC6LmB0Vn/K4Jnv nick@pc" shell: /bin/bash + - username: danny + state: present + groups: [sudo, docker] + ssh_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW9Dgg1HwSUYZjGoJx1ikldn7xH3R4tiygoTXcT7nCX" + shell: /bin/bash # - username: admin # state: present diff --git a/infrastructure/ansible/inventory.ini b/infrastructure/ansible/inventory.ini index 20f9be3..1a11b6e 100644 --- a/infrastructure/ansible/inventory.ini +++ b/infrastructure/ansible/inventory.ini @@ -3,6 +3,10 @@ vm-docker-apps-301.stabify.de ansible_host=10.100.30.11 # vm-docker-traefik-302 entfernt (Traefik Edge läuft jetzt im k3s Cluster) # vm-docker-mailcow-300.stabify.de ansible_host=10.100.30.10 +[bastion_hosts] +vm-bastion-900.stabify.de ansible_host=10.100.90.10 +vm-bastion-901.stabify.de ansible_host=10.100.90.11 + [k3s_masters] vm-k3s-master-400.stabify.de ansible_host=10.100.40.10 vm-k3s-master-401.stabify.de ansible_host=10.100.40.11 diff --git a/infrastructure/ansible/k3s_deploy.yml b/infrastructure/ansible/k3s_deploy.yml index 72468e3..5fd4289 100644 --- a/infrastructure/ansible/k3s_deploy.yml +++ b/infrastructure/ansible/k3s_deploy.yml @@ -21,8 +21,8 @@ token: "{{ lookup('env', 'VAULT_TOKEN') }}" ca_cert: "{{ lookup('env', 'VAULT_CACERT') | default(playbook_dir ~ '/../../vault-ca.crt') }}" register: vault_k3s_data - register: vault_k3s_data delegate_to: localhost + become: false # Kein sudo für Vault-Zugriff auf localhost ignore_errors: true vars: ansible_connection: local diff --git a/infrastructure/ansible/roles/users/tasks/main.yml b/infrastructure/ansible/roles/users/tasks/main.yml index d0f48f0..24ee074 100644 --- a/infrastructure/ansible/roles/users/tasks/main.yml +++ b/infrastructure/ansible/roles/users/tasks/main.yml @@ -16,14 +16,37 @@ loop: "{{ users_list }}" when: item.state | default('present') == 'present' +- name: "Stelle sicher, dass .ssh Verzeichnis existiert" + file: + path: "/home/{{ item.username }}/.ssh" + state: directory + owner: "{{ item.username }}" + group: "{{ item.username }}" + mode: '0700' + loop: "{{ users_list }}" + when: item.state | default('present') == 'present' and item.ssh_key is defined + - name: "Setze SSH Authorized Keys" authorized_key: user: "{{ item.username }}" state: present key: "{{ item.ssh_key }}" + exclusive: false # Fügt Key hinzu, ohne andere zu löschen loop: "{{ users_list }}" when: item.state | default('present') == 'present' and item.ssh_key is defined +- name: "Konfiguriere sudo NOPASSWD für sudo-Gruppe" + lineinfile: + path: /etc/sudoers.d/sudo-group-nopasswd + line: "%sudo ALL=(ALL:ALL) NOPASSWD: ALL" + state: present + create: true + mode: '0440' + validate: 'visudo -cf %s' + tags: + - sudo + - users + - name: "Entferne Benutzer (falls state=absent)" user: name: "{{ item.username }}" diff --git a/infrastructure/ansible/setup_longhorn_disks.yml b/infrastructure/ansible/setup_longhorn_disks.yml index 49f1971..023ca91 100644 --- a/infrastructure/ansible/setup_longhorn_disks.yml +++ b/infrastructure/ansible/setup_longhorn_disks.yml @@ -3,6 +3,26 @@ hosts: k3s_masters become: yes tasks: + - name: Disable multipathd service (Longhorn requirement) + systemd: + name: multipathd + state: stopped + enabled: no + ignore_errors: true + + - name: Ensure dm_crypt kernel module is loaded (for Longhorn encryption support) + modprobe: + name: dm_crypt + state: present + ignore_errors: true + + - name: Ensure dm_crypt module is loaded on boot + copy: + content: "dm_crypt\n" + dest: /etc/modules-load.d/dm_crypt.conf + mode: '0644' + ignore_errors: true + - name: Install required packages for Longhorn (iSCSI, NFS) apt: name: