Initial role stuff

This also sets up tls-termination for mosquitto

_deprecated/netmaker/meta/main.yml

@@ -0,0 +1,3 @@
+---
+  dependencies: []
+    #- role: docker

_deprecated/netmaker/tasks/join-network.yml

@@ -2,4 +2,6 @@
   when: "netclient.join_network_token is defined"
   command: "netclient join -t {{ netclient.join_network_token }}"
   failed_when: command.rc != 0
+  changed_when: "'starting wireguard' in command.stdout"
   register: command
+  throttle: 1

_deprecated/netmaker/tasks/main.yml

@@ -3,3 +3,6 @@
 - import_tasks: ./install.yml
 
 - import_tasks: ./join-network.yml
+
+- name: Gather facts to get changes
+  ansible.builtin.gather_facts:

_deprecated/netmaker_server/docs/architecture.puml

@@ -30,7 +30,7 @@ component netmaker_server {
   component nm_api
   nm_api -down- nm_api_http
   ng_http --( nm_api_http
-  nm_api -up-( ng_TLS : db-connection to rqlite-master
+  nm_api .up.( ng_TLS : db-connection to rqlite-master
   nm_api --( mq_plain
 }
 

_deprecated/netmaker_server/files/opt/netmaker_server/mosquitto/config/mosquitto.conf

@@ -1,11 +1,11 @@
 per_listener_settings false
 
 listener 8883
+protocol websockets
 allow_anonymous false
-certfile /certs/node.crt
-keyfile /certs/node.key
 
 listener 1883
+protocol websockets
 allow_anonymous false
 
 plugin /usr/lib/mosquitto_dynamic_security.so

_deprecated/netmaker_server/tasks/netmaker.yml

@@ -30,7 +30,7 @@
     headers:
       Authorization: 'Bearer {{ netmaker_creds.master_key }}'
       Content-Type: application/json
-  when: "inventory_hostname == groups['netmaker'][0]"
+  when: "inventory_hostname == groups['netmaker_server'][0]"
   register: default_mesh
   until: "default_mesh is not failed"
   retries: 2
@@ -50,7 +50,7 @@
     headers:
       Authorization: 'Bearer {{ netmaker_creds.master_key }}'
       Content-Type: application/json
-  when: "inventory_hostname == groups['netmaker'][0]"
+  when: "inventory_hostname == groups['netmaker_server'][0]"
   register: default_mesh_key
   until: "default_mesh_key is not failed"
   retries: 2

_deprecated/netmaker_server/templates/docker-compose.yml.template

@@ -33,15 +33,15 @@ services:
 
     -auth         /config.json
 
-{% if inventory_hostname != groups['netmaker'][0] %}
+{% if inventory_hostname != groups['netmaker_server'][0] %}
     -join-as  netmaker
-    -join     https://{{  netmaker_rqlite.http_host }}.{{ groups['netmaker'][0] }}:{{ netmaker_nginx.advertise_port }}
+    -join     https://{{  netmaker_rqlite.http_host }}.{{ groups['netmaker_server'][0] }}:{{ netmaker_nginx.advertise_port }}
 {% endif %}
     "
     # FIXME: /\ \/ Change http -> https
 
   netmaker: # The Primary Server for running Netmaker
-    image: gravitl/netmaker:v0.16.1
+    image: gravitl/netmaker:v0.17.1
     depends_on:
       - rqlite
     cap_add: 
@@ -104,7 +104,7 @@ services:
       - "51821-51830:51821-51830/udp" # wireguard ports
 
   netmaker-ui:  # The Netmaker UI Component
-    image: gravitl/netmaker-ui:v0.16.1
+    image: gravitl/netmaker-ui:v0.17.1
     depends_on:
       - netmaker
     links:
@@ -120,7 +120,6 @@ services:
       - ./mosquitto/config:/mosquitto/config
       - ./mosquitto/data:/mosquitto/data
       - ./mosquitto/logs:/mosquitto/log
-      - "./certs:/certs:ro"
     depends_on:
       - netmaker
     command: ["/mosquitto/config/wait.sh"]

_deprecated/netmaker_server/templates/nginx/passthrough.conf.template

@@ -6,7 +6,7 @@ stream{
         {{ netmaker_ui.host }}.{{ netmaker_base_domain }}   127.0.0.1:8443;
         {{ netmaker_api.host }}.{{ netmaker_base_domain }}  127.0.0.1:8443;
 
-        {{ netmaker_broker.tls_host }}.{{ netmaker_base_domain }}   mosquitto:8883; # todo: tls-terminate?
+        {{ netmaker_broker.tls_host }}.{{ netmaker_base_domain }}   127.0.0.1:8443;
 
         {{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}    127.0.0.1:8443;
         {{ netmaker_rqlite.cluster_host }}.{{ ansible_facts.nodename }}   rqlite:4002;

_deprecated/netmaker_server/templates/nginx/proxy.conf.template

@@ -4,6 +4,8 @@ map $host    $proxy_name {
     {{ netmaker_ui.host }}.{{ netmaker_base_domain }}               netmaker-ui:80;
     {{ netmaker_api.host }}.{{ netmaker_base_domain }}              netmaker:8081;
 
+    {{ netmaker_broker.tls_host }}.{{ netmaker_base_domain }}       mosquitto:8883;
+
     {{ netmaker_rqlite.http_host }}.{{ ansible_facts.nodename }}    rqlite:4001;
 
     default         444;

common/defaults/main.yml

@@ -0,0 +1 @@
+ipv6_stable_secret: 1111:2222:3333:4444:5555:6666:7777:8888

common/tasks/main.yml

@@ -5,3 +5,5 @@
 - import_tasks: ./packages.yml
 
 - import_tasks: ./aliases.yml
+
+- import_tasks: ./networking.yml

common/tasks/networking.yml

@@ -0,0 +1,22 @@
+- name: Set sysctl settings for ip-forwarding
+  copy:
+      dest: "/etc/sysctl.d/ip-forwarding.conf"
+      content: |
+          net.ipv4.ip_forward           = 1
+          net.ipv6.conf.all.forwarding  = 1
+  notify: reload_sysctl
+
+- name: Set sysctl settings for ipv6-address-generation
+  copy:
+      dest: "/etc/sysctl.d/ipv6-slaac-address-generation.conf"
+      content: |
+          net.ipv6.conf.default.addr_gen_mode = 2
+          net.ipv6.conf.default.stable_secret = {{ ipv6_stable_secret }}
+  notify: reload_sysctl
+
+- name: Set sysctl settings to override ipv6-slaac with enabled forwarding
+  copy:
+      dest: "/etc/sysctl.d/ipv6-slaac-override.conf"
+      content: |
+          net.ipv6.conf.all.accept_ra = 2
+  notify: reload_sysctl

kubernetes/tasks/install/server/install_k3s.yml

@@ -26,7 +26,6 @@
     port: 6443
     state: started
   when: "inventory_hostname != groups['kubernetes'][0]"
-
 #- name: Add Kubernetes environment-vars to /etc/profile.d/
 #  blockinfile:
 #    path: /etc/profile.d/k3s-bin.sh

netmaker/meta/main.yml

@@ -1,3 +0,0 @@
----
-  dependencies:
-    - role: docker

nomad/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+nomad:
+  version: 1.4.4

nomad/files/systemd-service

@@ -0,0 +1,48 @@
+[Unit]
+Description=Nomad
+Documentation=https://www.nomadproject.io/docs/
+Wants=network-online.target
+After=network-online.target
+
+# When using Nomad with Consul it is not necessary to start Consul first. These
+# lines start Consul before Nomad as an optimization to avoid Nomad logging
+# that Consul is unavailable at startup.
+#Wants=consul.service
+#After=consul.service
+
+[Service]
+
+# Nomad server should be run as the nomad user. Nomad clients
+# should be run as root
+User=root
+Group=root
+
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=65536
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+
+## Configure unit start rate limiting. Units which are started more than
+## *burst* times within an *interval* time span are not permitted to start any
+## more. Use `StartLimitIntervalSec` or `StartLimitInterval` (depending on
+## systemd version) to configure the checking interval and `StartLimitBurst`
+## to configure how many starts per interval are allowed. The values in the
+## commented lines are defaults.
+
+# StartLimitBurst = 5
+
+## StartLimitIntervalSec is used for systemd versions >= 230
+# StartLimitIntervalSec = 10s
+
+## StartLimitInterval is used for systemd versions < 230
+# StartLimitInterval = 10s
+
+TasksMax=infinity
+OOMScoreAdjust=-1000
+
+[Install]
+WantedBy=multi-user.target

nomad/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  #- role: docker

nomad/tasks/install.yml

@@ -0,0 +1,43 @@
+- name: Download binary
+  ansible.builtin.unarchive:
+    remote_src: true
+    src: https://releases.hashicorp.com/nomad/{{ nomad.version }}/nomad_{{ nomad.version }}_{{ ansible_system | lower }}_{{ 'amd64' if ansible_architecture == 'x86_64' else ansible_architecture }}.zip
+    dest: /usr/local/bin/
+    mode: "755"
+
+- name: Deploy systemd-service file
+  ansible.builtin.copy:
+    src: systemd-service
+    dest: /etc/systemd/system/nomad.service
+    mode: u=rw,g=r,o=r
+
+- name: Create nomad user
+  ansible.builtin.user:
+    name: nomad
+    groups:
+      - docker
+    append: true
+
+- name: Create directory for configs
+  ansible.builtin.file:
+    path: /etc/nomad.d
+    state: directory
+    mode: "0755"
+    owner: "nomad"
+    group: "nomad"
+
+- name: Create nomad.hcl configuration file
+  ansible.builtin.template:
+    src: nomad.hcl.j2
+    dest: /etc/nomad.d/nomad.hcl
+    mode: "0644"
+    owner: "nomad"
+    group: "nomad"
+
+- name: Create directory for data
+  ansible.builtin.file:
+    path: /opt/nomad
+    state: directory
+    mode: "0755"
+    owner: "nomad"
+    group: "nomad"

nomad/tasks/launch.yml

@@ -0,0 +1,8 @@
+- name: Start service
+  ansible.builtin.service:
+    name: nomad
+    state: restarted
+
+- name: Waiting for service to accept connections
+  ansible.builtin.wait_for:
+    port: 4646

nomad/tasks/main.yml

@@ -0,0 +1,3 @@
+- import_tasks: ./install.yml
+
+- import_tasks: ./launch.yml

nomad/templates/nomad.hcl.j2

@@ -0,0 +1,71 @@
+data_dir = "/opt/nomad"
+datacenter = "{{ datacenter }}"
+
+
+bind_addr = "0.0.0.0"
+
+advertise {
+  # Defaults to the first private IP address.
+  #http = "1.2.3.4"
+  #rpc  = "1.2.3.4"
+  #serf = "1.2.3.4:5648" # non-default ports may be specified
+}
+
+{# TODO: Get interface-ip from hosts marked with type=server #}
+{% set server_hosts = ansible_play_batch | difference([inventory_hostname]) %}
+{% if type is defined and type == "server" %}
+server {
+  enabled = true
+  bootstrap_expect = {{ server_hosts | length }}
+
+  server_join {
+    retry_join = [ "{{ server_hosts | join('", "') }}" ]
+    retry_max = 6
+    retry_interval = "15s"
+  }
+
+  default_scheduler_config {
+    scheduler_algorithm             = "binpack"
+    memory_oversubscription_enabled = true
+    reject_job_registration         = false
+    pause_eval_broker               = false # New in Nomad 1.3.2
+
+    preemption_config {
+      batch_scheduler_enabled    = true
+      system_scheduler_enabled   = true
+      service_scheduler_enabled  = true
+      sysbatch_scheduler_enabled = true # New in Nomad 1.2
+    }
+  }
+}
+{% endif %}
+
+client {
+  enabled = true
+
+  {% if type != "server" %}
+  servers = [ "{{ server_hosts | join('", "') }}" ]
+  {% endif %}
+
+  meta {
+    node_type = "{{ type }}"
+    {% if storage is defined and storage %}
+    seaweedfs_volume = "true"
+    {% endif %}
+  }
+}
+
+
+plugin "raw_exec" {
+  config {
+    enabled = true
+  }
+}
+
+plugin "docker" {
+  config {
+    {% if type is defined and type == "server" %}
+    allow_privileged = true
+    {% endif %}
+  }
+}