diff --git a/roles/ceph/handlers/main.yml b/roles/ceph/handlers/main.yml new file mode 100644 index 0000000..6746e38 --- /dev/null +++ b/roles/ceph/handlers/main.yml @@ -0,0 +1,7 @@ +- name: reboot + reboot: + +- name: reload nftables + service: + name: nftables + state: reloaded diff --git a/roles/ceph/tasks/firewall.yml b/roles/ceph/tasks/firewall.yml new file mode 100644 index 0000000..be12d9b --- /dev/null +++ b/roles/ceph/tasks/firewall.yml @@ -0,0 +1,16 @@ +- name: Install nftables + package: + name: nftables + +- name: Configure nftables + template: + dest: /etc/nftables.conf + src: nftables.conf.j2 + mode: 0644 + notify: reload nftables + +- name: Enable nftables + service: + name: nftables + enabled: true + state: started diff --git a/roles/ceph/tasks/main.yml b/roles/ceph/tasks/main.yml new file mode 100644 index 0000000..085180b --- /dev/null +++ b/roles/ceph/tasks/main.yml @@ -0,0 +1,38 @@ +- name: Configure /etc/hosts + template: + dest: /etc/hosts + src: hosts.j2 + +- name: Get cluster + set_fact: + cluster: "{{ query('netbox.netbox.nb_lookup', 'clusters', raw_data=true, api_filter='name='~cluster) | first }}" + +- name: Generate my SSH key + openssh_keypair: + path: /root/.ssh/id_ed25519 + type: ed25519 + comment: "root@{{ ansible_hostname }}" + register: my_key + +- name: Deploy my key on other nodes + authorized_key: + user: root + key: "{{ my_key.public_key }}" + comment: "{{ my_key.comment }}" + delegate_to: "{{ item }}" + loop: "{{ query('netbox.netbox.nb_lookup', 'devices', api_filter='cluster_id='~cluster.id, raw_data=true) | map(attribute='name') }}" + +- name: Install required packages + package: + name: + - lvm2 + - podman + +- name: Install cephadm script + get_url: + url: https://download.ceph.com/rpm-{{ ceph_version }}/el9/noarch/cephadm + checksum: sha512:dc9bfed5b56c3756720e935a1520ccffe4ecf5e37502fe60a6ff835b98da8afe23a0ecab3770698c10ce1278004c788091eed9b4651d1c52f8d05729b4036c12 + dest: /usr/local/bin/cephadm + mode: 0755 + +- include_tasks: firewall.yml diff --git a/roles/ceph/templates/hosts.j2 b/roles/ceph/templates/hosts.j2 new file mode 100644 index 0000000..9fdb26b --- /dev/null +++ b/roles/ceph/templates/hosts.j2 @@ -0,0 +1,11 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + +{% set my_cluster = query('netbox.netbox.nb_lookup', 'clusters', raw_data=true, api_filter='name='~cluster) | first %} +{% for host in query('netbox.netbox.nb_lookup', 'devices', raw_data=true, api_filter='cluster_id='~my_cluster.id) | map(attribute='name') %} +{% for address in (hostvars[host].interfaces | selectattr('name', 'equalto', 'lo') | map(attribute='ip_addresses') | first) %} +{{ address.address | ipaddr('address') }} {{ host }} +{% endfor %} +{% endfor %} diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/nftables.conf.j2 new file mode 100644 index 0000000..1f4044d --- /dev/null +++ b/roles/ceph/templates/nftables.conf.j2 @@ -0,0 +1,33 @@ +#!/usr/sbin/nft -f + +flush ruleset + +# Just a temporary filter until we get our shit together policy-wise. +table inet filter { + set allowed { + type ipv4_addr + flags interval + elements = { 10.32.0.0/14, 193.2.76.176/24, 192.168.19.0/24, 192.168.251.0/24 } + } + + chain input { + type filter hook input priority filter; policy drop + + ct state vmap { invalid : drop, established : accept, related : accept } + iif lo accept + + # BGP / BFD sessions + iif lan0 ip6 saddr fe80::/64 accept + iif lan1 ip6 saddr fe80::/64 accept + + ip saddr @allowed accept + } + + chain forward { + type filter hook forward priority filter; policy accept + } + + chain output { + type filter hook output priority filter; policy accept + } +} diff --git a/setup.yml b/setup.yml index 10588c9..2296139 100644 --- a/setup.yml +++ b/setup.yml @@ -1,6 +1,7 @@ - hosts: ceph-* roles: - debian + - ceph - hosts: proxmox-rc-next-* roles: