initial upload

2025-10-10 11:07:34 +00:00
commit 6224cd01c6
161 changed files with 8964 additions and 0 deletions
--- a/roles/consul/templates/etc_consul.d_00-base_config.hcl.j2
+++ b/roles/consul/templates/etc_consul.d_00-base_config.hcl.j2
@@ -0,0 +1,83 @@
+# {{ ansible_managed }}
+
+# Logging
+enable_syslog = true
+log_level = "INFO"
+disable_update_check = true
+
+# Basics
+data_dir = "{{ consul_data_dir }}"
+datacenter = "{{ datacenter_id }}"
+server = {{ 'false' if consul_server else 'true' }}
+ui = true
+
+# Network
+{% if consul_bootstrap_expect > 0 %}
+encrypt = "{{ consul_encrypt_key }}"
+{% endif %}
+client_addr = "{{ consul_client_addr }}"
+bind_addr = "{{ network_private_ip }}"
+advertise_addr = "{{ network_private_ip }}"
+retry_join = [
+{% for peer in consul_servers if peer != ansible_hostname and hostvars[peer].datacenter_id == datacenter_id %}
+    "{{ hostvars[peer].network_private_ip }}"{{ ',' if not loop.last else '' }}
+{% endfor %}
+]
+{% if consul_server %}
+{%   if consul_bootstrap_expect > 0 %}
+bootstrap_expect = {{ consul_bootstrap_expect }}
+{%   endif %}
+rejoin_after_leave = true
+retry_join_wan = [
+{%   for peer in consul_servers if hostvars[peer].datacenter_id != datacenter_id %}
+   "{{ hostvars[peer].network_private_ip }}"{{ ',' if not loop.last else '' }}
+{%   endfor %}
+]
+{% endif %}
+
+# TLS
+#ports {
+#  https = 8501
+#}
+#key_file = "/etc/letsencrypt/live/{{ ansible_hostname }}.maruntiel.net/privkey1.pem"
+#cert_file = "/etc/letsencrypt/live/{{ ansible_hostname }}.maruntiel.net/fullchain1.pem"
+#ca_file = "/etc/letsencrypt/live/{{ ansible_hostname }}.maruntiel.net/chain1.pem"
+#verify_incoming = true
+#verify_outgoing = true
+#tls_min_version = "tls12"
+
+# Features
+enable_script_checks = true
+disable_remote_exec = true
+
+# ACLs
+#{% if consul_acl_datacenter is defined and consul_acl_datacenter %}
+#acl_datacenter = "{{ consul_acl_datacenter }}"
+#acl_default_policy = "deny"
+#acl_down_policy = "extend-cache"
+#acl_agent_token = "{{ consul_acl_agent_token }}"
+#acl_token = "{{ consul_acl_token }}"
+#{%   if datacenter_id != consul_acl_datacenter %}
+#acl_replication_token = "{{ consul_acl_replication_token | default(consul_acl_master_token) }}"
+#{%   endif %}
+#{% endif %}
+
+# DNS
+dns_config {
+  node_ttl = "60s"
+  service_ttl {
+    "*" = "15s"
+  }
+}
+
+# Metadata
+node_meta {
+  architecture = "{{ ansible_userspace_architecture }}"
+  product_name = "{{ ansible_system_vendor|replace(' Inc.', '') }} {{ ansible_product_name }}"
+  virtualization_role = "{{ ansible_virtualization_role }}"
+}
+
+# Consul Stats
+telemetry {
+  disable_hostname = true
+}
--- a/roles/consul/templates/etc_default_consul.j2
+++ b/roles/consul/templates/etc_default_consul.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+{% if consul_ui_beta|default(False) %}
+ui_config=enable
+{% endif %}
--- a/roles/consul/templates/etc_firewall_rules-v4.d_78_consul.sh.j2
+++ b/roles/consul/templates/etc_firewall_rules-v4.d_78_consul.sh.j2
@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+{% if not consul_stub_mode %}
+{%   if consul_server %}
+iptables -A internal-in -p tcp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-in -p udp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+{%   else %}
+{%     for ip in datacenter_local_networks %}
+iptables -A internal-in -s {{ ip }} -p tcp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-in -s {{ ip }} -p udp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+{%     endfor %}
+{%   endif %}
+
+{%   if consul_expose_apis %}
+iptables -A internal-in -p tcp --dport 8500:8501 -m comment --comment "consul-http" -j ACCEPT
+iptables -A internal-in -p tcp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+iptables -A internal-in -p udp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+{%   endif %}
+
+iptables -A internal-out -p tcp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-out -p udp --dport 8300:8302 -m comment --comment "consul" -j ACCEPT
+iptables -A internal-out -p tcp --dport 8500:8501 -m comment --comment "consul-http" -j ACCEPT
+iptables -A internal-out -p tcp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+iptables -A internal-out -p udp --dport 8600 -m comment --comment "consul-dns" -j ACCEPT
+{% endif %}
--- a/roles/consul/templates/etc_systemd_system_consul.service.j2
+++ b/roles/consul/templates/etc_systemd_system_consul.service.j2
@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Consul Agent
+Requires=network-online.target
+After=network-online.target
+RequiresMountsFor={{ consul_data_dir }}
+
+[Service]
+EnvironmentFile=-/etc/default/consul
+ExecStart=/usr/local/bin/consul agent $CONSUL_FLAGS -config-dir={{ consul_config_dir }} -config-dir={{ consul_data_dir }}
+ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=SIGINT
+StandardOutput=null
+User=consul
+Group=consul
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/consul/templates/usr_local_bin_consul-tag.j2
+++ b/roles/consul/templates/usr_local_bin_consul-tag.j2
@@ -0,0 +1,71 @@
+#!/usr/bin/python3
+# {{ ansible_managed }}
+
+import os
+import sys
+import requests
+
+CONSUL_API = 'http://localhost:8500'
+
+
+def get_service(sess, service_id):
+        r = sess.get(CONSUL_API + '/v1/agent/services', timeout=2)
+        r.raise_for_status()
+        services = r.json()
+
+        for svc in services.values():
+                if svc['ID'] == service_id:
+                        return svc
+
+        return None
+
+
+def change_service_tags(service, tags_to_add, tags_to_remove):
+        with requests.Session() as sess:
+                sess.headers = {'X-Consul-Token': os.getenv('CONSUL_HTTP_TOKEN')}
+
+                svc = get_service(sess, service)
+                if svc:
+                        new_tags = (set(svc.get('Tags', [])) | tags_to_add) - tags_to_remove
+                        new_svc = {
+                                'ID': svc['ID'],
+                                'Name': svc['Service'],
+                                'Address': svc.get('Address', ''),
+                                'Port': svc.get('Port', 0),
+                                'Meta': svc.get('Meta', {}),
+                                'Tags': sorted(list(new_tags)),
+                                'EnableTagOverride': svc.get('EnableTagOverride', False),
+                        }
+                        for k, v in new_svc.items():
+                                print('{} = {}'.format(k, v))
+                        r = sess.put(CONSUL_API + '/v1/agent/service/register', json=new_svc, timeout=2)
+                        r.raise_for_status()
+
+
+def main(argv):
+        if len(argv) < 3:
+                print("Usage: consul-tag service +tag -tag...")
+                return 1
+
+        service = argv[1]
+        tags_to_add = set()
+        tags_to_remove = set()
+        for tag in argv[2:]:
+                if tag.startswith('-'):
+                        tags_to_remove.add(tag[1:])
+                elif tag.startswith('+'):
+                        tags_to_add.add(tag[1:])
+                else:
+                        tags_to_add.add(tag)
+
+        try:
+                change_service_tags(service, tags_to_add, tags_to_remove)
+        except Exception as exc:
+                print("Error: {}".format(exc))
+                return 2
+
+        return 0
+
+
+if __name__ == '__main__':
+        sys.exit(main(sys.argv))