rc/servers
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects 1 Releases Wiki Activity
137 commits 1 branch 0 tags 312 KiB
Commit graph

10 commits

Author SHA1 Message Date
Timotej Lazar 46a9ff6fc0 ceph: add LE certificates 
With a hook to restart RGW services on renewal, if there are any. Live
certificates are linked to the same path under /etc/ceph on each host,
so that the orch service spec is node-independent.

Use with something like this (port 80 must be kept free for standalone
certbot renewal):

    service_type: rgw
    spec:
      rgw_frontend_port: 8080
      rgw_frontend_extra_args:
        - ssl_port=443
        - ssl_private_key=/etc/ceph/privkey.pem
        - ssl_certificate=/etc/ceph/fullchain.pem
    extra_container_args:
      - "--volume"
      - "/etc/ceph:/etc/ceph:ro"
      - "--volume"
      - "/etc/letsencrypt:/etc/letsencrypt:ro"
 2024-11-08 16:38:15 +01:00
Timotej Lazar 036f7c8b74 Support custom allowed_ips field for services 
Like allowed_prefixes, but for single IP addresses. Currently used
just for DHCP server to allow (only) packets from relays.
 2024-08-03 11:44:03 +02:00
Timotej Lazar 29598ef4bb Rework service handling 
Allow running playbooks without NetBox access. Mainly to bootstrap
NetBox itself.

Would prefer not to access network from filter plugins, so maybe do
that at some point also.
 2024-06-19 13:33:32 +02:00
Timotej Lazar 25bcddede1 Factor frr role from debian, ceph and proxmox 
Consolidate base system and networking setup into debian role and BGP
configuration into frr role. Add facts role to collect data from NetBox
once to avoid many slow lookups. Also many other tweaks and cleanups.
 2024-05-19 14:21:25 +02:00
Timotej Lazar 5762236ac2 ceph: fix nftables management rule 
The mgmt VRF might not exist yet when nftables rules are loaded, so
use iifname instead of iif for dynamic interface lookup.
 2024-05-09 12:30:42 +02:00
Timotej Lazar 8be55c2bde ceph: set up firewall 
Still need to drop the hardcoded allowed set.
 2024-04-05 06:12:58 +02:00
Timotej Lazar 0c063a017b ceph: allow some ICMP 2024-03-14 14:34:44 +01:00
Timotej Lazar ce7903e43a ceph: improve cluster setup 
Remove separate NetBox lookups. Explicitly allow connections between
cluster nodes. Tigthen temporary allowed IPv6 ranges.
 2024-03-01 08:45:51 +01:00
Timotej Lazar c395fe22c7 ceph: allow connections from more addresses 
Should unhardcode this at some point.
 2024-01-17 19:19:55 +01:00
Timotej Lazar 5038411af3 Add ceph role 
Just prepares the servers, all management is then done through cephadm.
 2023-11-20 13:04:11 +01:00