From 46e743b84a8b270216dc95106f10f4e7a900a8f2 Mon Sep 17 00:00:00 2001
From: Udo Waechter <udo@maketank.net>
Date: Wed, 11 Dec 2024 14:10:12 +0100
Subject: [PATCH] consul

---
 ansible/roles/nummer5/files/consul-ui.json.j2 |  15 +++
 ansible/roles/nummer5/files/consul.hcl.j2     | 105 ++++++++++++++++++
 ansible/roles/nummer5/files/consul_acl.hcl    |   6 +
 ansible/roles/nummer5/files/nomad-ui.json.j2  |  15 +++
 ansible/roles/nummer5/files/vault-ui.json.j2  |  11 ++
 ansible/roles/nummer5/tasks/consul.yaml       |  41 +++++++
 ansible/roles/nummer5/tasks/main.yaml         |   5 +-
 ansible/roles/nummer5/tasks/nomad.yaml        |   8 +-
 drone.yml.bak                                 |  23 ++++
 9 files changed, 227 insertions(+), 2 deletions(-)
 create mode 100644 ansible/roles/nummer5/files/consul-ui.json.j2
 create mode 100644 ansible/roles/nummer5/files/consul.hcl.j2
 create mode 100644 ansible/roles/nummer5/files/consul_acl.hcl
 create mode 100644 ansible/roles/nummer5/files/nomad-ui.json.j2
 create mode 100644 ansible/roles/nummer5/files/vault-ui.json.j2
 create mode 100644 ansible/roles/nummer5/tasks/consul.yaml
 create mode 100644 drone.yml.bak

diff --git a/ansible/roles/nummer5/files/consul-ui.json.j2 b/ansible/roles/nummer5/files/consul-ui.json.j2
new file mode 100644
index 0000000..acce6f3
--- /dev/null
+++ b/ansible/roles/nummer5/files/consul-ui.json.j2
@@ -0,0 +1,15 @@
+{
+    "service": {
+        "ID": "consul-ui-{{ ansible_nodename }}",
+        "Name": "consul-ui",
+        "Tags": [
+            "traefik.enable=true",
+            "traefik.http.routers.consul-ui-http.rule=Host(`consul.service.nr5`)"
+        ],
+        "Port": 8500,
+        "Check": {
+            "HTTP": "http://{{ ansible_facts['default_ipv4']['address'] }}:8500/ui/",
+            "Interval": "60s"
+        }
+    }
+}
\ No newline at end of file
diff --git a/ansible/roles/nummer5/files/consul.hcl.j2 b/ansible/roles/nummer5/files/consul.hcl.j2
new file mode 100644
index 0000000..5e0387b
--- /dev/null
+++ b/ansible/roles/nummer5/files/consul.hcl.j2
@@ -0,0 +1,105 @@
+######
+## Ansible
+##
+
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+# Full configuration options can be found at https://www.consul.io/docs/agent/config
+
+# datacenter
+# This flag controls the datacenter in which the agent is running. If not provided,
+# it defaults to "dc1". Consul has first-class support for multiple datacenters, but 
+# it relies on proper configuration. Nodes in the same datacenter should be on a 
+# single LAN.
+datacenter = "nummer5"
+domain = "nr5"
+alt_domain = "consul"
+recursors = ["172.16.23.1"]
+# data_dir
+# This flag provides a data directory for the agent to store state. This is required
+# for all agents. The directory should be durable across reboots. This is especially
+# critical for agents that are running in server mode as they must be able to persist
+# cluster state. Additionally, the directory must support the use of filesystem
+# locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may
+# not be suitable.
+data_dir = "/opt/consul"
+
+# client_addr
+# The address to which Consul will bind client interfaces, including the HTTP and DNS
+# servers. By default, this is "127.0.0.1", allowing only loopback connections. In
+# Consul 1.0 and later this can be set to a space-separated list of addresses to bind
+# to, or a go-sockaddr template that can potentially resolve to multiple addresses.
+client_addr = "0.0.0.0"
+
+# ui
+# Enables the built-in web UI server and the required HTTP routes. This eliminates
+# the need to maintain the Consul web UI files separately from the binary.
+# Version 1.10 deprecated ui=true in favor of ui_config.enabled=true
+ui_config{
+  enabled = true
+}
+
+# server
+# This flag is used to control if an agent is in server or client mode. When provided,
+# an agent will act as a Consul server. Each Consul cluster must have at least one
+# server and ideally no more than 5 per datacenter. All servers participate in the Raft
+# consensus algorithm to ensure that transactions occur in a consistent, linearizable
+# manner. Transactions modify cluster state, which is maintained on all server nodes to
+# ensure availability in the case of node failure. Server nodes also participate in a
+# WAN gossip pool with server nodes in other datacenters. Servers act as gateways to
+# other datacenters and forward traffic as appropriate.
+server = true
+
+# Bind addr
+# You may use IPv4 or IPv6 but if you have multiple interfaces you must be explicit.
+#bind_addr = "[::]" # Listen on all IPv6
+#bind_addr = "0.0.0.0" # Listen on all IPv4
+bind_addr = "{{ ansible_facts['default_ipv4']['address'] }}"
+# Advertise addr - if you want to point clients to a different address than bind or LB.
+#advertise_addr = "127.0.0.1"
+
+# Enterprise License
+# As of 1.10, Enterprise requires a license_path and does not have a short trial.
+#license_path = "/etc/consul.d/consul.hclic"
+
+# bootstrap_expect
+# This flag provides the number of expected servers in the datacenter. Either this value
+# should not be provided or the value must agree with other servers in the cluster. When
+# provided, Consul waits until the specified number of servers are available and then
+# bootstraps the cluster. This allows an initial leader to be elected automatically.
+# This cannot be used in conjunction with the legacy -bootstrap flag. This flag requires
+# -server mode.
+bootstrap_expect=3
+
+# encrypt
+# Specifies the secret key to use for encryption of Consul network traffic. This key must
+# be 32-bytes that are Base64-encoded. The easiest way to create an encryption key is to
+# use consul keygen. All nodes within a cluster must share the same encryption key to
+# communicate. The provided key is automatically persisted to the data directory and loaded
+# automatically whenever the agent is restarted. This means that to encrypt Consul's gossip
+# protocol, this option only needs to be provided once on each agent's initial startup
+# sequence. If it is provided after Consul has been initialized with an encryption key,
+# then the provided key is ignored and a warning will be displayed.
+encrypt = "5/P+DSsvMz0ykNwzqLRts2pl5P1WJTslVHIE58usBQ0="
+
+# retry_join
+# Similar to -join but allows retrying a join until it is successful. Once it joins 
+# successfully to a member in a list of members it will never attempt to join again.
+# Agents will then solely maintain their membership via gossip. This is useful for
+# cases where you know the address will eventually be available. This option can be
+# specified multiple times to specify multiple agents to join. The value can contain
+# IPv4, IPv6, or DNS addresses. In Consul 1.1.0 and later this can be set to a go-sockaddr
+# template. If Consul is running on the non-default Serf LAN port, this must be specified
+# as well. IPv6 must use the "bracketed" syntax. If multiple values are given, they are
+# tried and retried in the order listed until the first succeeds. Here are some examples:
+#retry_join = ["consul.domain.internal"]
+#retry_join = ["10.0.4.67"]
+#retry_join = ["[::1]:8301"]
+#retry_join = ["consul.domain.internal", "10.0.4.67"]
+# Cloud Auto-join examples:
+# More details - https://www.consul.io/docs/agent/cloud-auto-join
+#retry_join = ["provider=aws tag_key=... tag_value=..."]
+#retry_join = ["provider=azure tag_name=... tag_value=... tenant_id=... client_id=... subscription_id=... secret_access_key=..."]
+#retry_join = ["provider=gce project_name=... tag_value=..."]
+retry_join = ["172.16.23.21", "172.16.23.22", "172.16.23.23", "172.16.23.24", "172.16.23.25"] 
diff --git a/ansible/roles/nummer5/files/consul_acl.hcl b/ansible/roles/nummer5/files/consul_acl.hcl
new file mode 100644
index 0000000..34fb433
--- /dev/null
+++ b/ansible/roles/nummer5/files/consul_acl.hcl
@@ -0,0 +1,6 @@
+acl = {
+  enabled = true
+  default_policy = "allow"
+  enable_token_persistence = true
+}
+
diff --git a/ansible/roles/nummer5/files/nomad-ui.json.j2 b/ansible/roles/nummer5/files/nomad-ui.json.j2
new file mode 100644
index 0000000..692d59b
--- /dev/null
+++ b/ansible/roles/nummer5/files/nomad-ui.json.j2
@@ -0,0 +1,15 @@
+{
+    "service": {
+        "ID": "nomad-ui-{{ ansible_nodename }}",
+        "Name": "nomad-ui",
+        "Tags": [
+            "traefik.enable=true",
+            "traefik.http.routers.nomad-ui-http.rule=Host(`nomad.service.nr5`)"
+        ],
+        "Port": 4646,
+        "Check": {
+            "HTTP": "http://{{ ansible_facts['default_ipv4']['address'] }}:4646/ui/",
+            "Interval": "60s"
+        }
+    }
+}
diff --git a/ansible/roles/nummer5/files/vault-ui.json.j2 b/ansible/roles/nummer5/files/vault-ui.json.j2
new file mode 100644
index 0000000..f2945eb
--- /dev/null
+++ b/ansible/roles/nummer5/files/vault-ui.json.j2
@@ -0,0 +1,11 @@
+{
+    "service": {
+        "ID": "vault-ui-{{ ansible_nodename }}",
+        "Name": "vault-ui",
+        "Tags": [
+            "traefik.enable=true",
+            "traefik.http.routers.vault-ui-http.rule=HostSNI(`vault.service.nr5`)"
+        ],
+        "Port": 8200
+    }
+}
diff --git a/ansible/roles/nummer5/tasks/consul.yaml b/ansible/roles/nummer5/tasks/consul.yaml
new file mode 100644
index 0000000..969905c
--- /dev/null
+++ b/ansible/roles/nummer5/tasks/consul.yaml
@@ -0,0 +1,41 @@
+- name: Install consul Package
+  apt:
+    state: present
+    name:
+    - consul
+
+- name: Consul acl
+  register: conf_update
+  copy:
+    src: consul_acl.hcl
+    dest: /etc/consul.d/acl.hcl
+
+- name: Configure Consul
+  register: conf_update
+  template:
+    src: files/consul.hcl.j2
+    dest: /etc/consul.d/consul.hcl
+
+- name: Consul UI
+  register: conf_update
+  template:
+    src: files/consul-ui.json.j2
+    dest: /etc/consul.d/consul-ui.json
+
+- name: Nomad UI
+  register: conf_update
+  template:
+    src: files/nomad-ui.json.j2
+    dest: /etc/consul.d/nomad-ui.json
+
+- name: Vault UI
+  register: conf_update
+  template:
+    src: files/vault-ui.json.j2
+    dest: /etc/consul.d/vault-ui.json
+
+- name: Restart consul
+  service:
+    name: consul
+    state: restarted
+  when: conf_update.changed
\ No newline at end of file
diff --git a/ansible/roles/nummer5/tasks/main.yaml b/ansible/roles/nummer5/tasks/main.yaml
index 32dccd4..45f6987 100644
--- a/ansible/roles/nummer5/tasks/main.yaml
+++ b/ansible/roles/nummer5/tasks/main.yaml
@@ -10,4 +10,7 @@
     name: java
     
 - name: Nomad
-  include_tasks: nomad.yaml
\ No newline at end of file
+  include_tasks: nomad.yaml
+ 
+- name: Consul
+  include_tasks: consul.yaml
\ No newline at end of file
diff --git a/ansible/roles/nummer5/tasks/nomad.yaml b/ansible/roles/nummer5/tasks/nomad.yaml
index a062533..1632bc3 100644
--- a/ansible/roles/nummer5/tasks/nomad.yaml
+++ b/ansible/roles/nummer5/tasks/nomad.yaml
@@ -15,6 +15,12 @@
   register: conf_update
   template:
     src: files/nomad.hcl.j2
-    dest: /tmp/nomad.hcl
+    dest: /etc/nomad.d/nomad.hcl
     
+    
+- name: Restart nomad
+  service:
+    name: nomad
+    state: restarted
+  when: conf_update.changed
     
\ No newline at end of file
diff --git a/drone.yml.bak b/drone.yml.bak
new file mode 100644
index 0000000..6807028
--- /dev/null
+++ b/drone.yml.bak
@@ -0,0 +1,23 @@
+kind: pipeline
+type: docker
+name: nomad-nummer5 
+
+platform:
+  os: linux
+  arch: arm64
+
+
+environment:
+  TARGET_HOST: "test.chaos"
+  
+steps:
+- name: git log
+  image: cr.wks/debian-stable
+  commands:
+    - git diff-tree --no-commit-id --name-only HEAD -r
+- name: test
+  image: alpine
+  commands:
+  - echo hello
+  - echo world
+  - echo $TARGET_HOST