mirror of
https://git.fsfe.org/fsfe-system-hackers/innernet-playbook.git
synced 2024-12-01 11:03:10 +01:00
vastly increase idempotence; credits to max
This commit is contained in:
parent
605a51018b
commit
bd1807a604
49
deploy.yml
49
deploy.yml
@ -5,10 +5,59 @@
|
|||||||
---
|
---
|
||||||
- hosts: innernet_server
|
- hosts: innernet_server
|
||||||
remote_user: root
|
remote_user: root
|
||||||
|
tasks:
|
||||||
|
- name: Query innernet-server for peers
|
||||||
|
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from cidrs;"'
|
||||||
|
register: global_existing_cidrs
|
||||||
|
|
||||||
|
- name: CIDRs already registered on innernet-server
|
||||||
|
debug:
|
||||||
|
msg: "{{ item }}"
|
||||||
|
loop: "{{ global_existing_cidrs.stdout_lines }}"
|
||||||
|
|
||||||
|
- name: CIDRs defined in this playbook
|
||||||
|
debug:
|
||||||
|
msg: "{{ item.name }}"
|
||||||
|
loop: "{{ cidrs }}"
|
||||||
|
|
||||||
|
- name: These CIDRs have been added
|
||||||
|
debug:
|
||||||
|
msg: "{{ item.name }} is new!"
|
||||||
|
when: item.name not in global_existing_cidrs.stdout_lines
|
||||||
|
loop: "{{ cidrs }}"
|
||||||
|
|
||||||
|
- name: Query innernet-server for peers
|
||||||
|
shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from peers;"'
|
||||||
|
register: global_existing_peers
|
||||||
|
|
||||||
|
- name: Peers already registered on innernet-server
|
||||||
|
debug:
|
||||||
|
msg: "{{ item }}"
|
||||||
|
loop: "{{ global_existing_peers.stdout_lines }}"
|
||||||
|
|
||||||
|
- name: Peers defined in this playbook
|
||||||
|
debug:
|
||||||
|
msg: "{{ item.name }}"
|
||||||
|
loop: "{{ peers }}"
|
||||||
|
|
||||||
|
- name: These peers have been added
|
||||||
|
debug:
|
||||||
|
msg: "{{ item.name }} is new!"
|
||||||
|
when: item.name not in global_existing_peers.stdout_lines
|
||||||
|
loop: "{{ peers }}"
|
||||||
|
|
||||||
|
- hosts: innernet_server
|
||||||
|
remote_user: root
|
||||||
|
vars:
|
||||||
|
existing_peers: "{{ global_existing_peers.stdout_lines }}"
|
||||||
|
existing_cidrs: "{{ global_existing_cidrs.stdout_lines }}"
|
||||||
roles:
|
roles:
|
||||||
- server
|
- server
|
||||||
|
|
||||||
- hosts: innernet_client
|
- hosts: innernet_client
|
||||||
remote_user: root
|
remote_user: root
|
||||||
|
vars:
|
||||||
|
existing_peers: "{{ global_existing_peers.stdout_lines }}"
|
||||||
|
existing_cidrs: "{{ global_existing_cidrs.stdout_lines }}"
|
||||||
roles:
|
roles:
|
||||||
- client
|
- client
|
||||||
|
@ -4,48 +4,50 @@
|
|||||||
|
|
||||||
---
|
---
|
||||||
- name: Install needed packages
|
- name: Install needed packages
|
||||||
|
tags: [update]
|
||||||
apt:
|
apt:
|
||||||
package:
|
package:
|
||||||
- rsync
|
- rsync
|
||||||
- wireguard
|
- wireguard
|
||||||
- wireguard-tools
|
- wireguard-tools
|
||||||
|
|
||||||
- name: Copy package to server
|
- name: Copy package to host
|
||||||
|
tags: [update]
|
||||||
synchronize:
|
synchronize:
|
||||||
src: "innernet.deb"
|
src: "innernet.deb"
|
||||||
dest: "/tmp/innernet.deb"
|
dest: "/tmp/innernet.deb"
|
||||||
|
|
||||||
- name: Install package
|
- name: Install package
|
||||||
|
tags: [update]
|
||||||
apt:
|
apt:
|
||||||
deb: "/tmp/innernet.deb"
|
deb: "/tmp/innernet.deb"
|
||||||
|
update_cache: true
|
||||||
install_recommends: true
|
install_recommends: true
|
||||||
|
|
||||||
- name: Copy non-admin invitation to servers
|
- name: Copy non-admin invitation to hosts
|
||||||
synchronize:
|
synchronize:
|
||||||
src: "{{ item.name }}.toml"
|
src: "{{ item.name }}.toml"
|
||||||
dest: "/tmp/{{ item.name }}.toml"
|
dest: "/tmp/{{ item.name }}.toml"
|
||||||
when:
|
when:
|
||||||
- item.cidr == "machines"
|
# is not existing
|
||||||
# NOTE innernet does not accept '.' in a name
|
- item.name not in hostvars['kaim.fsfeurope.org'].global_existing_peers.stdout_lines
|
||||||
|
# only if filename contains a part of the hostname
|
||||||
- item.name in ansible_host|replace('.', '-')
|
- item.name in ansible_host|replace('.', '-')
|
||||||
- item.name in added_peers.stdout
|
loop: "{{ peers }}"
|
||||||
with_items: "{{ peers }}"
|
|
||||||
|
|
||||||
- name: Install non-admin invitation on servers
|
- name: Install non-admin invitation on hosts
|
||||||
shell: |
|
shell: |
|
||||||
innernet install /tmp/{{ item.name }}.toml \
|
innernet install /tmp/{{ item.name }}.toml \
|
||||||
--default-name \
|
--default-name \
|
||||||
--delete-invite
|
--delete-invite
|
||||||
when:
|
when:
|
||||||
- item.cidr == "machines"
|
# is not existing
|
||||||
# NOTE innernet does not accept '.' in a name
|
- item.name not in hostvars['kaim.fsfeurope.org'].global_existing_peers.stdout_lines
|
||||||
|
# only if filename contains a part of the hostname
|
||||||
- item.name in ansible_host|replace('.', '-')
|
- item.name in ansible_host|replace('.', '-')
|
||||||
- item.name in added_peers.stdout
|
loop: "{{ peers }}"
|
||||||
with_items: "{{ peers }}"
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: Enable innernet daemon
|
- name: Enable innernet daemon
|
||||||
systemd:
|
systemd:
|
||||||
name: "innernet@{{ network_name }}"
|
name: "innernet@{{ network_name }}"
|
||||||
state: restarted
|
state: started
|
||||||
daemon_reload: true
|
|
||||||
|
@ -4,6 +4,7 @@
|
|||||||
|
|
||||||
---
|
---
|
||||||
- name: Install needed packages
|
- name: Install needed packages
|
||||||
|
tags: [update]
|
||||||
apt:
|
apt:
|
||||||
package:
|
package:
|
||||||
- rsync
|
- rsync
|
||||||
@ -11,54 +12,22 @@
|
|||||||
- wireguard-tools
|
- wireguard-tools
|
||||||
|
|
||||||
- name: Copy package to server
|
- name: Copy package to server
|
||||||
|
tags: [never, update]
|
||||||
synchronize:
|
synchronize:
|
||||||
src: "innernet-server.deb"
|
src: "innernet-server.deb"
|
||||||
dest: "/tmp/innernet-server.deb"
|
dest: "/tmp/innernet-server.deb"
|
||||||
|
|
||||||
- name: Install package
|
- name: Install package
|
||||||
|
tags: [never, update]
|
||||||
apt:
|
apt:
|
||||||
deb: "/tmp/innernet-server.deb"
|
deb: "/tmp/innernet-server.deb"
|
||||||
|
update_cache: true
|
||||||
install_recommends: true
|
install_recommends: true
|
||||||
|
|
||||||
- name: Copy relevant network var to host
|
- name: Check if network is initialised
|
||||||
copy:
|
stat:
|
||||||
content: "{{ network_name }}"
|
path: "/var/lib/innernet-server/{{ network_name }}.db"
|
||||||
dest: /root/network.txt
|
register: db_file
|
||||||
register: network_file
|
|
||||||
|
|
||||||
- name: Move old cidrs file
|
|
||||||
shell: mv cidrs.txt cidrs.txt.old
|
|
||||||
|
|
||||||
- name: Copy relevant cidrs var to host
|
|
||||||
template:
|
|
||||||
src: cidrs.j2
|
|
||||||
dest: /root/cidrs.txt
|
|
||||||
register: cidrs_file
|
|
||||||
|
|
||||||
- name: Get changed cidrs
|
|
||||||
shell: awk 'FNR==NR{old[$0];next};!($0 in old)' cidrs.txt.old cidrs.txt
|
|
||||||
register: added_cidrs
|
|
||||||
|
|
||||||
- name: Move old peers file
|
|
||||||
shell: mv peers.txt peers.txt.old
|
|
||||||
|
|
||||||
- name: Copy relevant peers var to host
|
|
||||||
template:
|
|
||||||
src: peers.j2
|
|
||||||
dest: /root/peers.txt
|
|
||||||
register: peers_file
|
|
||||||
|
|
||||||
- name: Get changed peers
|
|
||||||
shell: awk 'FNR==NR{old[$0];next};!($0 in old)' peers.txt.old peers.txt
|
|
||||||
register: added_peers
|
|
||||||
|
|
||||||
- name: "These CIDRs have been added"
|
|
||||||
debug:
|
|
||||||
msg: "{{ added_cidrs.stdout|from_yaml }}"
|
|
||||||
|
|
||||||
- name: "These peers have been added"
|
|
||||||
debug:
|
|
||||||
msg: "{{ added_peers.stdout|from_yaml }}"
|
|
||||||
|
|
||||||
- name: Create base network
|
- name: Create base network
|
||||||
shell: |
|
shell: |
|
||||||
@ -67,7 +36,7 @@
|
|||||||
--network-cidr "{{ network_cidr }}" \
|
--network-cidr "{{ network_cidr }}" \
|
||||||
--external-endpoint "[{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}]:{{ network_listen_port }}" \
|
--external-endpoint "[{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}]:{{ network_listen_port }}" \
|
||||||
--listen-port {{ network_listen_port }}
|
--listen-port {{ network_listen_port }}
|
||||||
when: network_file.changed
|
when: not db_file.stat.exists
|
||||||
|
|
||||||
- name: Create CIDRs
|
- name: Create CIDRs
|
||||||
shell: |
|
shell: |
|
||||||
@ -76,10 +45,9 @@
|
|||||||
--name "{{ item.name }}" \
|
--name "{{ item.name }}" \
|
||||||
--cidr "{{ item.cidr }}" \
|
--cidr "{{ item.cidr }}" \
|
||||||
--yes
|
--yes
|
||||||
with_items: "{{ cidrs }}"
|
loop: "{{ cidrs }}"
|
||||||
when:
|
when:
|
||||||
- cidrs_file.changed
|
- item.name not in existing_cidrs
|
||||||
- item.name in added_cidrs.stdout
|
|
||||||
|
|
||||||
- name: Create peers
|
- name: Create peers
|
||||||
shell: |
|
shell: |
|
||||||
@ -91,15 +59,9 @@
|
|||||||
--invite-expires "14d" \
|
--invite-expires "14d" \
|
||||||
--auto-ip \
|
--auto-ip \
|
||||||
--yes
|
--yes
|
||||||
with_items: "{{ peers }}"
|
loop: "{{ peers }}"
|
||||||
ignore_errors: true
|
|
||||||
when:
|
when:
|
||||||
- peers_file.changed
|
- item.name not in existing_peers
|
||||||
- item.name in added_peers.stdout
|
|
||||||
|
|
||||||
- name: Delete empty files
|
|
||||||
shell: find . -maxdepth 1 -type f -empty -print -delete
|
|
||||||
ignore_errors: true
|
|
||||||
|
|
||||||
- name: Check for actual peer invitation files
|
- name: Check for actual peer invitation files
|
||||||
shell: ls | grep .toml
|
shell: ls | grep .toml
|
||||||
@ -117,10 +79,15 @@
|
|||||||
dest: "{{ playbook_dir }}/roles/client/files/{{ item.name }}.toml"
|
dest: "{{ playbook_dir }}/roles/client/files/{{ item.name }}.toml"
|
||||||
mode: pull
|
mode: pull
|
||||||
when: toml_files.stdout.find(item.name) != -1
|
when: toml_files.stdout.find(item.name) != -1
|
||||||
with_items: "{{ peers }}"
|
loop: "{{ peers }}"
|
||||||
|
|
||||||
- name: Make sure invitation files are absent on innernet-server
|
- name: Make sure invitation files are absent on innernet-server
|
||||||
shell: "rm -rf /root/*.toml"
|
file:
|
||||||
|
state: absent
|
||||||
|
path: "/root/{{ item.name }}.toml"
|
||||||
|
loop: "{{ peers }}"
|
||||||
|
when:
|
||||||
|
- item.name not in existing_peers
|
||||||
|
|
||||||
- name: Enable innernet-server daemon
|
- name: Enable innernet-server daemon
|
||||||
systemd:
|
systemd:
|
||||||
|
Loading…
Reference in New Issue
Block a user