With a hook to restart RGW services on renewal, if there are any. Live certificates are linked to the same path under /etc/ceph on each host, so that the orch service spec is node-independent. Use with something like this (port 80 must be kept free for standalone certbot renewal): service_type: rgw spec: rgw_frontend_port: 8080 rgw_frontend_extra_args: - ssl_port=443 - ssl_private_key=/etc/ceph/privkey.pem - ssl_certificate=/etc/ceph/fullchain.pem extra_container_args: - "--volume" - "/etc/ceph:/etc/ceph:ro" - "--volume" - "/etc/letsencrypt:/etc/letsencrypt:ro" |
||
---|---|---|
files | ||
filter_plugins | ||
roles | ||
templates | ||
.gitignore | ||
ansible.cfg | ||
inventory.yml | ||
LICENSE | ||
README.md | ||
setup.yml | ||
UNLICENSE |
These Ansible roles set up servers running various Linux distributions to participate in BGP routing. Device and IP address data are pulled from NetBox. A separate VRF mgmt
is configured for a L2 management interface.
Setup
Each server should have the following information recorded in NetBox:
- network interfaces
mgmt*
: used for management (Ansible) access; must define MAC and IP address - network interfaces
lan*
: used for BGP routing; must define MAC address - network interface
lo
: must define the IP address to announce over BGP, also serves as router ID
MAC addresses are used to rename interfaces in the host OS. Prefix for the management IP address should define the gateway
custom field.
Run
Create a read-only token in NetBox. Define required variables:
export NETBOX_API=<url>
export NETBOX_TOKEN=<token>
Run one-off tasks with (add --key-file
or other options as necessary):
ansible -m ping 'server-*'
Run a playbook with:
ansible-playbook setup.yml -l 'server-*'