|
1 |
---
|
|
2 |
- name: Initialize a systemd-nspawn container
|
|
3 |
hosts: localhost
|
|
4 |
roles:
|
|
5 |
- facts
|
|
6 |
tasks:
|
|
7 |
- name: Sanity cheks
|
|
8 |
assert:
|
|
9 |
that:
|
|
10 |
- "target != 'localhost'"
|
|
11 |
- "'ansible_host' in hostvars[target]"
|
|
12 |
- "hostvars[target]['ansible_host'] | ipaddr"
|
|
13 |
msg: 'please add CONTAINER_NAME to your inventory, with an ip address in ansible_host variable, then specify "-e target CONTAINER_NAME" on the command line. See for example dev.publik in inventory.yml'
|
|
14 |
|
|
15 |
- name: "create {{src_dir}} directory"
|
|
16 |
file:
|
|
17 |
path: "{{src_dir}}"
|
|
18 |
state: directory
|
|
19 |
owner: "{{user}}"
|
|
20 |
group: "{{user}}"
|
|
21 |
|
|
22 |
- name: create/start container and bind-mount our development directory
|
|
23 |
local_action: command dspawn -p -b {{ src_dir }} -a {{ hostvars[target]['ansible_host'] }} create {{ target }}
|
|
24 |
become: yes
|
|
25 |
ignore_errors: yes
|
|
26 |
|
|
27 |
- lineinfile:
|
|
28 |
path: /etc/hosts
|
|
29 |
regexp: "^{{hostvars[target]['ansible_host']}} "
|
|
30 |
line: "{{hostvars[target]['ansible_host']}} dev-hobo.local.publik agent-combo.local.publik user-combo.local.publik demarches-wcs.local.publik connexion-authentic.local.publik dev-fargo.local.publik dev-chrono.local.publik dev-passerelle.local.publik dev-corbo.local.publik dev-bijoe.local.publik"
|
|
31 |
become: yes
|
|
32 |
|
|
33 |
- name: Deploy container basic configuration
|
|
34 |
hosts: "{{ target }}"
|
|
35 |
gather_facts: False
|
|
36 |
roles:
|
|
37 |
- facts
|
|
38 |
vars:
|
|
39 |
ansible_user: root
|
|
40 |
tasks:
|
|
41 |
- raw: echo 'deb http://deb.entrouvert.org/ stretch main' > /etc/apt/sources.list.d/entrouvert.list
|
|
42 |
- raw: apt update; apt install -y python-simplejson python-apt ca-certificates sudo postgresql git
|
|
43 |
- raw: wget -O - https://deb.entrouvert.org/entrouvert.gpg | apt-key add -
|
|
44 |
- raw: apt update; dpkg -s ca-certificates-entrouvert || apt install -y ca-certificates-entrouvert
|
|
45 |
|
|
46 |
- lineinfile:
|
|
47 |
path: /etc/postgresql/9.6/main/pg_hba.conf
|
|
48 |
line: 'local all postgres trust'
|
|
49 |
insertbefore: '# DO NOT DISABLE!'
|
|
50 |
|
|
51 |
- lineinfile:
|
|
52 |
path: /etc/postgresql/9.6/main/pg_hba.conf
|
|
53 |
line: 'local all all peer'
|
|
54 |
insertafter: 'local all postgres trust'
|
|
55 |
|
|
56 |
- raw: systemctl restart postgresql
|
|
57 |
|
|
58 |
- postgresql_user:
|
|
59 |
name: "{{user}}"
|
|
60 |
role_attr_flags: CREATEDB,SUPERUSER
|
|
61 |
|
|
62 |
- user:
|
|
63 |
name: "{{user}}"
|
|
64 |
groups: sudo
|
|
65 |
append: yes
|
|
66 |
shell: /bin/bash
|
|
67 |
|
|
68 |
# it is strange we need to fix permissions here (ansible 2.4)
|
|
69 |
- file:
|
|
70 |
path: "~{{user}}"
|
|
71 |
state: directory
|
|
72 |
owner: "{{user}}"
|
|
73 |
group: "{{user}}"
|
|
74 |
|
|
75 |
- lineinfile:
|
|
76 |
dest: /etc/sudoers
|
|
77 |
regexp: "^%{{user}}"
|
|
78 |
line: "{{user}} ALL=(ALL) NOPASSWD: ALL"
|
|
79 |
validate: 'visudo -cf %s'
|
|
80 |
|
|
81 |
- file:
|
|
82 |
path: "~{{user}}/.ssh"
|
|
83 |
state: directory
|
|
84 |
owner: "{{user}}"
|
|
85 |
mode: 0700
|
|
86 |
- copy:
|
|
87 |
src: "~/.ssh/id_rsa.pub"
|
|
88 |
dest: "~{{user}}/.ssh/authorized_keys"
|
|
89 |
owner: "{{user}}"
|
|
90 |
mode: 0600
|
|
91 |
|
|
92 |
- lineinfile:
|
|
93 |
path: /etc/hosts
|
|
94 |
regexp: '^127.0.42.1'
|
|
95 |
line: '127.0.42.1 dev.publik dev-hobo.local.publik agent-combo.local.publik user-combo.local.publik demarches-wcs.local.publik connexion-authentic.local.publik dev-fargo.local.publik dev-chrono.local.publik dev-passerelle.local.publik'
|
|
96 |
|
|
97 |
- name: Copy certificates obtained from pki.entrouvert.org
|
|
98 |
hosts: "{{ target }}"
|
|
99 |
gather_facts: False
|
|
100 |
vars:
|
|
101 |
ansible_user: root
|
|
102 |
tasks:
|
|
103 |
- copy:
|
|
104 |
src: /etc/ssl/certs/*.local.publik.crt
|
|
105 |
dest: /etc/ssl/certs/*.local.publik.crt
|
|
106 |
ignore-errors: yes
|
|
107 |
- copy:
|
|
108 |
src: /etc/ssl/private/*.local.publik.key
|
|
109 |
dest: /etc/ssl/private/*.local.publik.key
|
|
110 |
ignore-errors: yes
|
|
111 |
|