feat!: create ansible EN role (#2)

2025-12-06 02:49:55 +00:00 · 2024-03-05 17:05:57 +02:00
parent de9a6f35cf
commit 2af6a243ec
27 changed files with 1221 additions and 1 deletions
--- a/tasks/firewall.yml
+++ b/tasks/firewall.yml
@ -0,0 +1,80 @@
+---
+- name: Install iptables packages
+  ansible.builtin.apt:
+    update_cache: true
+    name: "{{ iptables_packages }}"
+
+- name: Allow loopback traffic
+  ansible.builtin.iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    match: state
+    ctstate: RELATED,ESTABLISHED
+    jump: ACCEPT
+
+- name: Allow SSH traffic
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 22
+    jump: ACCEPT
+
+- name: Allow HTTP traffic from specific IP to http port
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 80
+    source: "{{ loadbalancer_ip | mandatory }}"
+    jump: ACCEPT
+
+- name: Allow HTTP traffic from specific IP to https port
+  when: enable_tls
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 443
+    source: "{{ loadbalancer_ip | mandatory }}"
+    jump: ACCEPT
+
+- name: Allow healthcheck port traffic from specific IP
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 3080
+    source: "{{ loadbalancer_ip | mandatory }}"
+    jump: ACCEPT
+
+- name: Set default policy to DROP
+  ansible.builtin.iptables:
+    chain: INPUT
+    policy: DROP
+
+- name: Save ipv4 current state of the firewall in system file
+  community.general.iptables_state:
+    ip_version: ipv4
+    state: saved
+    path: /etc/iptables/rules.v4
+
+- name: Save ipv6 current state of the firewall in system file
+  community.general.iptables_state:
+    ip_version: ipv6
+    state: saved
+    path: /etc/iptables/rules.v6
+
+- name: Disable SSH password authentication
+  when: disable_ssh_password_auth
+  ansible.builtin.lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#PasswordAuthentication yes'
+    line: 'PasswordAuthentication no'
+
+- name: Restart ssh
+  when: disable_ssh_password_auth
+  ansible.builtin.service:
+    name: ssh
+    state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,7 @@
+---
+- name: Setup firewall
+  ansible.builtin.include_tasks: firewall.yml
+  when: use_predefined_iptables
+
+- name: Prepare configs
+  ansible.builtin.include_tasks: provision.yml
--- a/tasks/provision.yml
+++ b/tasks/provision.yml
@ -0,0 +1,98 @@
+---
+- name: Create configuration directory
+  ansible.builtin.file:
+    path: "{{ configuration_directory }}"
+    state: directory
+    mode: '0755'
+
+- name: Create storage directories
+  ansible.builtin.file:
+    path: "{{ storage_directory }}/{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - db
+    - db/lightweight-new
+    - db/state_keeper
+
+- name: "Verify that required variables are defined"
+  ansible.builtin.assert:
+    that:
+      - required_var != ""
+    fail_msg: "{{ required_var }} needs to be set for the role to work"
+    success_msg: "Required variable {{ required_var }} isn't empty"
+  loop_control:
+    loop_var: required_var
+  with_items:
+    - database_name
+    - database_username
+    - database_password
+    - eth_l1_url
+    - main_node_url
+    - l2_chain_id
+    - l1_chain_id
+
+- name: Check required en vars empty
+  ansible.builtin.fail:
+    msg: "Variable '{{ item }}' is empty"
+  when: vars[item] == ""
+  with_items: "{{ en_required_variables }}"
+
+- name: Copy main configs
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    mode: '0644'
+  loop:
+    - src: "templates/docker-compose.yaml.j2"
+      dest: "{{ configuration_directory }}/docker-compose.yaml"
+    - src: "templates/external_node.env.j2"
+      dest: "{{ configuration_directory }}/external_node.env"
+    - src: "templates/postgres.env.j2"
+      dest: "{{ configuration_directory }}/postgres.env"
+
+- name: Copy restore script
+  register: restore_dump_script
+  ansible.builtin.template:
+    src: 'templates/restore_dump.sh.j2'
+    dest: '{{ configuration_directory }}/restore_dump.sh'
+    mode: "a+x"
+
+- name: Check required monitoring vars empty
+  ansible.builtin.fail:
+    msg: "Variable '{{ item }}' is empty"
+  when: enable_monitoring and ( vars[item] == "" )
+  with_items: "{{ monitoring_required_variables }}"
+
+- name: Copy monitoring configs
+  when: enable_monitoring
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    mode: '0644'
+  loop:
+    - src: "templates/monitoring.yaml.j2"
+      dest: "{{ configuration_directory }}/monitoring.yaml"
+    - src: "templates/vmagent-config.yml.j2"
+      dest: "{{ configuration_directory }}/vmagent-config.yml"
+
+- name: Run docker-compose without monitoring
+  when: not enable_monitoring
+  ansible.builtin.shell:
+    cmd: nohup docker compose -f docker-compose.yaml up -d &
+    chdir: "{{ configuration_directory }}"
+  changed_when: false
+
+- name: Run docker-compose with monitoring
+  when: enable_monitoring and (not restore_dump_script.changed)
+  ansible.builtin.shell:
+    cmd: nohup docker compose -f monitoring.yaml -f docker-compose.yaml up -d &
+    chdir: "{{ configuration_directory }}"
+  changed_when: false
+
+- name: Run docker-compose with monitoring with recreation
+  when: enable_monitoring and restore_dump_script.changed
+  ansible.builtin.shell:
+    cmd: nohup docker compose -f monitoring.yaml -f docker-compose.yaml up -d --force-recreate &
+    chdir: "{{ configuration_directory }}"
+  changed_when: false