From f8edaafda82df9996f81d1cc759c167fec9ae114 Mon Sep 17 00:00:00 2001 From: Christophe Siraut Date: Thu, 30 Aug 2018 17:31:13 +0200 Subject: [PATCH 3/3] a playbook for setting up a container (#21756) --- container.yml | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ inventory.yml | 2 ++ 2 files changed, 113 insertions(+) create mode 100644 container.yml diff --git a/container.yml b/container.yml new file mode 100644 index 0000000..318759e --- /dev/null +++ b/container.yml @@ -0,0 +1,111 @@ +--- +- name: Initialize a systemd-nspawn container + hosts: localhost + roles: + - facts + tasks: + - name: Sanity cheks + assert: + that: + - "target != 'localhost'" + - "'ansible_host' in hostvars[target]" + - "hostvars[target]['ansible_host'] | ipaddr" + msg: 'please add CONTAINER_NAME to your inventory, with an ip address in ansible_host variable, then specify "-e target CONTAINER_NAME" on the command line. See for example dev.publik in inventory.yml' + + - name: "create {{src_dir}} directory" + file: + path: "{{src_dir}}" + state: directory + owner: "{{user}}" + group: "{{user}}" + + - name: create/start container and bind-mount our development directory + local_action: command dspawn -p -b {{ src_dir }} -a {{ hostvars[target]['ansible_host'] }} create {{ target }} + become: yes + ignore_errors: yes + + - lineinfile: + path: /etc/hosts + regexp: "^{{hostvars[target]['ansible_host']}} " + line: "{{hostvars[target]['ansible_host']}} dev-hobo.local.publik agent-combo.local.publik user-combo.local.publik demarches-wcs.local.publik connexion-authentic.local.publik dev-fargo.local.publik dev-chrono.local.publik dev-passerelle.local.publik dev-corbo.local.publik dev-bijoe.local.publik" + become: yes + +- name: Deploy container basic configuration + hosts: "{{ target }}" + gather_facts: False + roles: + - facts + vars: + ansible_user: root + tasks: + - raw: echo 'deb http://deb.entrouvert.org/ stretch main' > /etc/apt/sources.list.d/entrouvert.list + - raw: apt update; apt install -y python-simplejson python-apt ca-certificates sudo postgresql git + - raw: wget -O - https://deb.entrouvert.org/entrouvert.gpg | apt-key add - + - raw: apt update; dpkg -s ca-certificates-entrouvert || apt install -y ca-certificates-entrouvert + + - lineinfile: + path: /etc/postgresql/9.6/main/pg_hba.conf + line: 'local all postgres trust' + insertbefore: '# DO NOT DISABLE!' + + - lineinfile: + path: /etc/postgresql/9.6/main/pg_hba.conf + line: 'local all all peer' + insertafter: 'local all postgres trust' + + - raw: systemctl restart postgresql + + - postgresql_user: + name: "{{user}}" + role_attr_flags: CREATEDB,SUPERUSER + + - user: + name: "{{user}}" + groups: sudo + append: yes + shell: /bin/bash + + # it is strange we need to fix permissions here (ansible 2.4) + - file: + path: "~{{user}}" + state: directory + owner: "{{user}}" + group: "{{user}}" + + - lineinfile: + dest: /etc/sudoers + regexp: "^%{{user}}" + line: "{{user}} ALL=(ALL) NOPASSWD: ALL" + validate: 'visudo -cf %s' + + - file: + path: "~{{user}}/.ssh" + state: directory + owner: "{{user}}" + mode: 0700 + - copy: + src: "~/.ssh/id_rsa.pub" + dest: "~{{user}}/.ssh/authorized_keys" + owner: "{{user}}" + mode: 0600 + + - lineinfile: + path: /etc/hosts + regexp: '^127.0.42.1' + line: '127.0.42.1 dev.publik dev-hobo.local.publik agent-combo.local.publik user-combo.local.publik demarches-wcs.local.publik connexion-authentic.local.publik dev-fargo.local.publik dev-chrono.local.publik dev-passerelle.local.publik' + +- name: Copy certificates obtained from pki.entrouvert.org + hosts: "{{ target }}" + gather_facts: False + vars: + ansible_user: root + tasks: + - copy: + src: /etc/ssl/certs/*.local.publik.crt + dest: /etc/ssl/certs/*.local.publik.crt + ignore-errors: yes + - copy: + src: /etc/ssl/private/*.local.publik.key + dest: /etc/ssl/private/*.local.publik.key + ignore-errors: yes + diff --git a/inventory.yml b/inventory.yml index bbc8f03..5e8b07d 100644 --- a/inventory.yml +++ b/inventory.yml @@ -3,3 +3,5 @@ local: hosts: localhost: ansible_connection: local + dev.publik: + ansible_host: 10.0.0.100 -- 2.11.0