mirror of
https://github.com/norohind/nebula-ansible.git
synced 2025-07-15 16:51:11 +03:00
Compare commits
No commits in common. "96ae22adab0cef5954cf913f12730d50289d7b66" and "c652142efcd00a5f252954dc07f43f23a572d1f6" have entirely different histories.
96ae22adab
...
c652142efc
@ -8,7 +8,7 @@ namespace: norohind
|
|||||||
name: nebula
|
name: nebula
|
||||||
|
|
||||||
# The version of the collection. Must be compatible with semantic versioning
|
# The version of the collection. Must be compatible with semantic versioning
|
||||||
version: 1.1.0
|
version: 1.0.1
|
||||||
|
|
||||||
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
|
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
|
||||||
readme: README.md
|
readme: README.md
|
||||||
|
|||||||
@ -19,8 +19,6 @@ nebula_service_name_default: nebula
|
|||||||
service_name_mapping:
|
service_name_mapping:
|
||||||
- Debian: "nebula@config"
|
- Debian: "nebula@config"
|
||||||
|
|
||||||
force_download: false
|
|
||||||
|
|
||||||
duration:
|
duration:
|
||||||
nebula_groups:
|
nebula_groups:
|
||||||
|
|
||||||
|
|||||||
@ -11,6 +11,12 @@
|
|||||||
dest: "{{ nebula_bin_dir }}"
|
dest: "{{ nebula_bin_dir }}"
|
||||||
remote_src: true
|
remote_src: true
|
||||||
|
|
||||||
|
- name: Create nebula config directory
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ config_prefix }}"
|
||||||
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
- name: Template nebula systemd unit
|
- name: Template nebula systemd unit
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: nebula.service.j2
|
src: nebula.service.j2
|
||||||
|
|||||||
@ -8,38 +8,17 @@
|
|||||||
|
|
||||||
- name: Correct nebula_addr
|
- name: Correct nebula_addr
|
||||||
when: not nebula_addr is search("/")
|
when: not nebula_addr is search("/")
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
set_fact:
|
set_fact:
|
||||||
nebula_addr: "{{ nebula_addr + '/' + nebula_subnet }}"
|
nebula_addr: "{{ nebula_addr + '/' + nebula_subnet }}"
|
||||||
|
|
||||||
- name: Set nebula service name
|
- name: Set nebula service name
|
||||||
when: not force_download
|
|
||||||
tags:
|
tags:
|
||||||
- installation
|
- installation
|
||||||
set_fact:
|
set_fact:
|
||||||
nebula_service_name: "{{ service_name_mapping[ansible_distribution] | default(nebula_service_name_default) }}"
|
nebula_service_name: "{{ service_name_mapping[ansible_distribution] | default(nebula_service_name_default) }}"
|
||||||
|
|
||||||
- name: Set nebula service name
|
|
||||||
when: force_download
|
|
||||||
tags:
|
|
||||||
- installation
|
|
||||||
set_fact:
|
|
||||||
nebula_service_name: "{{ nebula_service_name_default }}"
|
|
||||||
|
|
||||||
- name: Create nebula config directory
|
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
- installation
|
|
||||||
- config
|
|
||||||
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ config_prefix }}"
|
|
||||||
state: directory
|
|
||||||
mode: "0755"
|
|
||||||
|
|
||||||
- name: Install nebula
|
- name: Install nebula
|
||||||
when: ansible_distribution != "Ubuntu" and not force_download
|
when: ansible_distribution != "Ubuntu"
|
||||||
tags:
|
tags:
|
||||||
- installation
|
- installation
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
@ -47,38 +26,30 @@
|
|||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Install nebula from GitHub
|
- name: Install nebula from GitHub
|
||||||
when: ansible_distribution == "Ubuntu" or force_download
|
when: ansible_distribution == "Ubuntu"
|
||||||
tags:
|
tags:
|
||||||
- installation
|
- installation
|
||||||
ansible.builtin.import_tasks: download-nebula.yaml
|
ansible.builtin.import_tasks: download-nebula.yaml
|
||||||
|
|
||||||
- name: Generate Nebula key pair
|
- name: Generate Nebula key pair
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
command: nebula-cert keygen -out-key {{ inventory_hostname }}.key -out-pub {{ inventory_hostname }}.pub
|
command: nebula-cert keygen -out-key {{ inventory_hostname }}.key -out-pub {{ inventory_hostname }}.pub
|
||||||
args:
|
args:
|
||||||
chdir: "{{ config_prefix }}"
|
chdir: "{{ config_prefix }}"
|
||||||
creates: "{{ inventory_hostname }}.pub"
|
creates: "{{ inventory_hostname }}.pub"
|
||||||
|
|
||||||
- name: Copy public key of a remote host to sign locally
|
- name: Copy public key of a remote host to sign locally
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
fetch:
|
fetch:
|
||||||
flat: true
|
flat: true
|
||||||
src: "{{ config_prefix }}/{{ inventory_hostname }}.pub"
|
src: "{{ config_prefix }}/{{ inventory_hostname }}.pub"
|
||||||
dest: "{{ pub_dir }}/{{ inventory_hostname }}.pub"
|
dest: "{{ pub_dir }}/{{ inventory_hostname }}.pub"
|
||||||
|
|
||||||
- name: Check cert exists on remote host
|
- name: Check cert exists on remote host
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
stat:
|
stat:
|
||||||
path: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
|
path: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
|
||||||
register: cert_present
|
register: cert_present
|
||||||
|
|
||||||
- name: Fetch cert properties from remote host
|
- name: Fetch cert properties from remote host
|
||||||
when: cert_present.stat.exists
|
when: cert_present.stat.exists
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
command:
|
command:
|
||||||
cmd: 'nebula-cert print -path "{{ config_prefix }}/{{ inventory_hostname }}.crt" -json'
|
cmd: 'nebula-cert print -path "{{ config_prefix }}/{{ inventory_hostname }}.crt" -json'
|
||||||
failed_when: cert_properties.stderr | length > 0 or cert_properties.rc != 0
|
failed_when: cert_properties.stderr | length > 0 or cert_properties.rc != 0
|
||||||
@ -88,8 +59,6 @@
|
|||||||
|
|
||||||
- name: Compare groups, name, address; check cert expiration
|
- name: Compare groups, name, address; check cert expiration
|
||||||
when: cert_present.stat.exists
|
when: cert_present.stat.exists
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
set_fact:
|
set_fact:
|
||||||
comparison:
|
comparison:
|
||||||
- property: name
|
- property: name
|
||||||
@ -125,22 +94,16 @@
|
|||||||
|
|
||||||
- name: Set do_reissue
|
- name: Set do_reissue
|
||||||
when: cert_present.stat.exists
|
when: cert_present.stat.exists
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
set_fact:
|
set_fact:
|
||||||
do_reissue: "{{ comparison | map(attribute='should_reissue') | select('equalto', true) | list | length > 0 }}"
|
do_reissue: "{{ comparison | map(attribute='should_reissue') | select('equalto', true) | list | length > 0 }}"
|
||||||
|
|
||||||
- name: Log reason for certificate reissuance
|
- name: Log reason for certificate reissuance
|
||||||
when: do_reissue
|
when: do_reissue
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
debug:
|
debug:
|
||||||
var: comparison | selectattr('should_reissue')
|
var: comparison | selectattr('should_reissue')
|
||||||
|
|
||||||
- name: Issue certificate
|
- name: Issue certificate
|
||||||
when: not cert_present.stat.exists or do_reissue
|
when: not cert_present.stat.exists or do_reissue
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
shell: >
|
shell: >
|
||||||
nebula-cert sign \
|
nebula-cert sign \
|
||||||
@ -159,8 +122,6 @@
|
|||||||
|
|
||||||
- name: Log new cert data
|
- name: Log new cert data
|
||||||
when: not cert_present.stat.exists or do_reissue
|
when: not cert_present.stat.exists or do_reissue
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
shell: >
|
shell: >
|
||||||
nebula-cert print -path {{ inventory_hostname | quote }}.crt -json >> {{ ct_log_file | quote }}
|
nebula-cert print -path {{ inventory_hostname | quote }}.crt -json >> {{ ct_log_file | quote }}
|
||||||
@ -168,8 +129,6 @@
|
|||||||
- name: Copy issued certificate
|
- name: Copy issued certificate
|
||||||
notify: nebula_reload
|
notify: nebula_reload
|
||||||
when: not cert_present.stat.exists or do_reissue
|
when: not cert_present.stat.exists or do_reissue
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
copy:
|
copy:
|
||||||
src: "{{ inventory_hostname }}.crt"
|
src: "{{ inventory_hostname }}.crt"
|
||||||
dest: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
|
dest: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
|
||||||
@ -177,8 +136,6 @@
|
|||||||
- name: Delete issued certificate from management node
|
- name: Delete issued certificate from management node
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
when: not cert_present.stat.exists or do_reissue
|
when: not cert_present.stat.exists or do_reissue
|
||||||
tags:
|
|
||||||
- sign
|
|
||||||
file:
|
file:
|
||||||
path: "{{ inventory_hostname }}.crt"
|
path: "{{ inventory_hostname }}.crt"
|
||||||
state: absent
|
state: absent
|
||||||
@ -186,15 +143,11 @@
|
|||||||
- name: Generate Nebula ssh host key
|
- name: Generate Nebula ssh host key
|
||||||
shell: >
|
shell: >
|
||||||
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
|
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
|
||||||
tags:
|
|
||||||
- debug-ssh
|
|
||||||
args:
|
args:
|
||||||
chdir: "{{ config_prefix }}"
|
chdir: "{{ config_prefix }}"
|
||||||
creates: ssh_host_ed25519_key
|
creates: ssh_host_ed25519_key
|
||||||
|
|
||||||
- name: Copy nebula config
|
- name: Copy nebula config
|
||||||
tags:
|
|
||||||
- config
|
|
||||||
notify: nebula_reload
|
notify: nebula_reload
|
||||||
copy:
|
copy:
|
||||||
src: "{{ configs_dir }}/{{ inventory_hostname }}.yaml"
|
src: "{{ configs_dir }}/{{ inventory_hostname }}.yaml"
|
||||||
@ -202,8 +155,6 @@
|
|||||||
|
|
||||||
- name: Verify configuration
|
- name: Verify configuration
|
||||||
command: "nebula -test -config {{ config_prefix }}/config.yml"
|
command: "nebula -test -config {{ config_prefix }}/config.yml"
|
||||||
tags:
|
|
||||||
- config
|
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
- name: Enable nebula service (systemd)
|
- name: Enable nebula service (systemd)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user