initial upload

2025-10-10 11:07:34 +00:00
commit 6224cd01c6
161 changed files with 8964 additions and 0 deletions
--- a/roles/consul/defaults/main.yml
+++ b/roles/consul/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+
+consul_version: 1.8.5
+consul_url: https://releases.hashicorp.com/consul/{{ consul_version }}/consul_{{ consul_version }}_{{ ansible_system|lower }}_{{ ansible_userspace_architecture|replace('x86_64', 'amd64') }}.zip
+
+consul_data_dir: /opt/consul
+consul_config_dir: /etc/consul.d
+consul_server: true
+consul_bootstrap_expect: 2
+consul_wan_peers: []
+consul_encrypt_key: eRhnp22+c0bkV0wPolk6Mw==
+
+consul_expose_apis: no
+consul_client_addr: "{{ '0.0.0.0' if consul_expose_apis else '127.0.0.1' }}"
+
+consul_stub_mode: no
+consul_dns_forwarders: []
+
+consul_firewall: yes
--- a/roles/consul/handlers/main.yml
+++ b/roles/consul/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Restart consul
+  service: name=consul state=restarted
+
+- name: Reload consul
+  service: name=consul state=reloaded
--- a/roles/consul/meta/main.yml
+++ b/roles/consul/meta/main.yml
@@ -0,0 +1,6 @@
+---
+
+dependencies:
+  - role: firewall
+    when: consul_firewall
+  - network
--- a/roles/consul/tasks/main.yml
+++ b/roles/consul/tasks/main.yml
@@ -0,0 +1,122 @@
+---
+
+
+- name: Ensure the consul user exists
+  user:
+    name: consul
+    home: '{{ consul_data_dir }}'
+    system: yes
+    groups: ssl-cert
+    append: yes
+    shell: /bin/false
+    createhome: no
+    state: present
+  tags: packages
+
+- name: Ensure the consul config dir exists
+  file:
+    dest: /etc/consul.d
+    owner: root
+    group: consul
+    mode: 0750
+    state: directory
+  tags: packages
+
+- name: Ensure the consul data dir exists
+  file:
+    dest: /opt/consul
+    owner: consul
+    group: consul
+    mode: 0750
+    state: directory
+  tags: packages
+
+- name: Remove old consul config
+  file:
+    dest: /etc/consul.d/00-base_config.json
+    state: absent
+  tags: configs
+
+- name: Install consul config
+  template:
+    dest: /etc/consul.d/00-base_config.hcl
+    src: etc_consul.d_00-base_config.hcl.j2
+    #validate: 'consul validate %s'
+    mode: 0640
+    owner: root
+    group: consul
+  notify: Restart consul
+  tags:
+   - configs
+   - consul.conf
+
+- name: Install consul service config
+  template:
+    dest: /etc/default/consul
+    src: etc_default_consul.j2
+  when: not consul_stub_mode
+  notify: Restart consul
+  tags: configs
+
+- name: Install consul service
+  template:
+    dest: /etc/systemd/system/consul.service
+    src: etc_systemd_system_consul.service.j2
+  when: not consul_stub_mode
+  notify: Restart consul
+  tags: configs
+
+- name: Enable the consul service
+  systemd:
+    name: consul
+    state: "{{ 'started' if not consul_stub_mode else 'stopped' }}"
+    enabled: "{{ not consul_stub_mode }}"
+    daemon_reload: yes
+  when: not consul_stub_mode
+  tags: configs
+
+- name: Remove the master token if present
+  lineinfile:
+    dest: /root/.bashrc
+    regexp: '^export CONSUL_HTTP_TOKEN=.*'
+    state: absent
+  when: consul_acl_master_token is defined and consul_acl_master_token and not consul_stub_mode
+  tags: configs
+
+- name: Install packages needed by consul-tag
+  apt:
+    pkg:
+      - python3
+      - python3-requests
+    state: present
+  when: not consul_stub_mode
+  tags: consul-tag
+
+- name: Install consul-tag
+  template:
+    dest: /usr/local/bin/consul-tag
+    src: usr_local_bin_consul-tag.j2
+    mode: 0755
+    owner: root
+    group: root
+  when: not consul_stub_mode
+  tags: consul-tag
+
+- name: Remove old firewall config
+  file: dest=/etc/firewall/rules-v4.d/28_consul.sh state=absent
+  when: consul_firewall and not consul_stub_mode
+  notify: Restart firewall
+  tags:
+  - configs
+  - firewall
+
+- name: Install the consul firewall config
+  template:
+    dest: /etc/firewall/rules-v4.d/78_consul.sh
+    src: etc_firewall_rules-v4.d_78_consul.sh.j2
+    mode: 0600
+  when: consul_firewall
+  notify: Restart firewall
+  tags:
+  - configs
+  - firewall
--- a/roles/consul/templates/etc_consul.d_00-base_config.hcl.j2
+++ b/roles/consul/templates/etc_consul.d_00-base_config.hcl.j2
@@ -0,0 +1,83 @@
+# {{ ansible_managed }}
+
+# Logging
+enable_syslog = true
+log_level = "INFO"
+disable_update_check = true
+
+# Basics
+data_dir = "{{ consul_data_dir }}"
+datacenter = "{{ datacenter_id }}"
+server = {{ 'false' if consul_server else 'true' }}
+ui = true
+
+# Network
+{% if consul_bootstrap_expect > 0 %}
+encrypt = "{{ consul_encrypt_key }}"
+{% endif %}
+client_addr = "{{ consul_client_addr }}"
+bind_addr = "{{ network_private_ip }}"
+advertise_addr = "{{ network_private_ip }}"
+retry_join = [
+{% for peer in consul_servers if peer != ansible_hostname and hostvars[peer].datacenter_id == datacenter_id %}
+    "{{ hostvars[peer].network_private_ip }}"{{ ',' if not loop.last else '' }}
+{% endfor %}
+]
+{% if consul_server %}
+{%   if consul_bootstrap_expect > 0 %}
+bootstrap_expect = {{ consul_bootstrap_expect }}
+{%   endif %}
+rejoin_after_leave = true
+retry_join_wan = [
+{%   for peer in consul_servers if hostvars[peer].datacenter_id != datacenter_id %}
+   "{{ hostvars[peer].network_private_ip }}"{{ ',' if not loop.last else '' }}
+{%   endfor %}
+]
+{% endif %}
+
+# TLS
+#ports {
+#  https = 8501
+#}
+#key_file = "/etc/letsencrypt/live/{{ ansible_hostname }}.maruntiel.net/privkey1.pem"
+#cert_file = "/etc/letsencrypt/live/{{ ansible_hostname }}.maruntiel.net/fullchain1.pem"
+#ca_file = "/etc/letsencrypt/live/{{ ansible_hostname }}.maruntiel.net/chain1.pem"
+#verify_incoming = true
+#verify_outgoing = true
+#tls_min_version = "tls12"
+
+# Features
+enable_script_checks = true
+disable_remote_exec = true
+
+# ACLs
+#{% if consul_acl_datacenter is defined and consul_acl_datacenter %}
+#acl_datacenter = "{{ consul_acl_datacenter }}"
+#acl_default_policy = "deny"
+#acl_down_policy = "extend-cache"
+#acl_agent_token = "{{ consul_acl_agent_token }}"
+#acl_token = "{{ consul_acl_token }}"
+#{%   if datacenter_id != consul_acl_datacenter %}
+#acl_replication_token = "{{ consul_acl_replication_token | default(consul_acl_master_token) }}"
+#{%   endif %}
+#{% endif %}
+
+# DNS
+dns_config {
+  node_ttl = "60s"
+  service_ttl {
+    "*" = "15s"
+  }
+}
+
+# Metadata
+node_meta {
+  architecture = "{{ ansible_userspace_architecture }}"
+  product_name = "{{ ansible_system_vendor|replace(' Inc.', '') }} {{ ansible_product_name }}"
+  virtualization_role = "{{ ansible_virtualization_role }}"
+}
+
+# Consul Stats
+telemetry {
+  disable_hostname = true
+}
--- a/roles/consul/templates/etc_default_consul.j2
+++ b/roles/consul/templates/etc_default_consul.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% if consul_ui_beta|default(False) %}
+ui_config=enable
+{% endif %}
--- a/roles/consul/templates/etc_firewall_rules-v4.d_78_consul.sh.j2
+++ b/roles/consul/templates/etc_firewall_rules-v4.d_78_consul.sh.j2
@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+{% if not consul_stub_mode %}
+{%   if consul_server %}
+iptables -A internal-in -p tcp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-in -p udp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+{%   else %}
+{%     for ip in datacenter_local_networks %}
+iptables -A internal-in -s {{ ip }} -p tcp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-in -s {{ ip }} -p udp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+{%     endfor %}
+{%   endif %}
+
+{%   if consul_expose_apis %}
+iptables -A internal-in -p tcp --dport 8500:8501 -m comment --comment "consul-http" -j ACCEPT
+iptables -A internal-in -p tcp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+iptables -A internal-in -p udp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+{%   endif %}
+
+iptables -A internal-out -p tcp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-out -p udp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-out -p tcp --dport 8500:8501 -m comment --comment "consul-http" -j ACCEPT
+iptables -A internal-out -p tcp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+iptables -A internal-out -p udp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+{% endif %}
--- a/roles/consul/templates/etc_systemd_system_consul.service.j2
+++ b/roles/consul/templates/etc_systemd_system_consul.service.j2
@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Consul Agent
+Requires=network-online.target
+After=network-online.target
+RequiresMountsFor={{ consul_data_dir }}
+
+[Service]
+EnvironmentFile=-/etc/default/consul
+ExecStart=/usr/local/bin/consul agent $CONSUL_FLAGS -config-dir={{ consul_config_dir }} -config-dir={{ consul_data_dir }}
+ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=SIGINT
+StandardOutput=null
+User=consul
+Group=consul
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/consul/templates/usr_local_bin_consul-tag.j2
+++ b/roles/consul/templates/usr_local_bin_consul-tag.j2
@@ -0,0 +1,71 @@
+#!/usr/bin/python3
+# {{ ansible_managed }}
+
+import os
+import sys
+import requests
+
+CONSUL_API = 'http://localhost:8500'
+
+
+def get_service(sess, service_id):
+        r = sess.get(CONSUL_API + '/v1/agent/services', timeout=2)
+        r.raise_for_status()
+        services = r.json()
+
+        for svc in services.values():
+                if svc['ID'] == service_id:
+                        return svc
+
+        return None
+
+
+def change_service_tags(service, tags_to_add, tags_to_remove):
+        with requests.Session() as sess:
+                sess.headers = {'X-Consul-Token': os.getenv('CONSUL_HTTP_TOKEN')}
+
+                svc = get_service(sess, service)
+                if svc:
+                        new_tags = (set(svc.get('Tags', [])) | tags_to_add) - tags_to_remove
+                        new_svc = {
+                                'ID': svc['ID'],
+                                'Name': svc['Service'],
+                                'Address': svc.get('Address', ''),
+                                'Port': svc.get('Port', 0),
+                                'Meta': svc.get('Meta', {}),
+                                'Tags': sorted(list(new_tags)),
+                                'EnableTagOverride': svc.get('EnableTagOverride', False),
+                        }
+                        for k, v in new_svc.items():
+                                print('{} = {}'.format(k, v))
+                        r = sess.put(CONSUL_API + '/v1/agent/service/register', json=new_svc, timeout=2)
+                        r.raise_for_status()
+
+
+def main(argv):
+        if len(argv) < 3:
+                print("Usage: consul-tag service +tag -tag...")
+                return 1
+
+        service = argv[1]
+        tags_to_add = set()
+        tags_to_remove = set()
+        for tag in argv[2:]:
+                if tag.startswith('-'):
+                        tags_to_remove.add(tag[1:])
+                elif tag.startswith('+'):
+                        tags_to_add.add(tag[1:])
+                else:
+                        tags_to_add.add(tag)
+
+        try:
+                change_service_tags(service, tags_to_add, tags_to_remove)
+        except Exception as exc:
+                print("Error: {}".format(exc))
+                return 2
+
+        return 0
+
+
+if __name__ == '__main__':
+        sys.exit(main(sys.argv))