Update ignition files
This commit is contained in:
@@ -28,7 +28,7 @@ systemd:
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Install Docker CE
|
Description=Install Docker CE
|
||||||
Wants=network-online.target
|
Wants=network-online.target
|
||||||
After=network-online.target
|
After=ignition-start-config.service
|
||||||
Before=zincati.service
|
Before=zincati.service
|
||||||
ConditionPathExists=!/var/lib/%N.stamp
|
ConditionPathExists=!/var/lib/%N.stamp
|
||||||
|
|
||||||
|
|||||||
@@ -39,7 +39,7 @@
|
|||||||
"systemd": {
|
"systemd": {
|
||||||
"units": [
|
"units": [
|
||||||
{
|
{
|
||||||
"contents": "[Unit]\nDescription=Install Docker CE\nWants=network-online.target\nAfter=network-online.target\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/curl --output-dir \"/etc/yum.repos.d\" --remote-name https://download.docker.com/linux/fedora/docker-ce.repo\nExecStart=/usr/bin/rpm-ostree override remove moby-engine containerd runc docker-cli --install docker-ce\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl enable docker.service\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target",
|
"contents": "[Unit]\nDescription=Install Docker CE\nWants=network-online.target\nAfter=ignition-start-config.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/curl --output-dir \"/etc/yum.repos.d\" --remote-name https://download.docker.com/linux/fedora/docker-ce.repo\nExecStart=/usr/bin/rpm-ostree override remove moby-engine containerd runc docker-cli --install docker-ce\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl enable docker.service\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
"name": "rpm-ostree-install-docker-ce.service"
|
"name": "rpm-ostree-install-docker-ce.service"
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
# Depends on base-install-docker
|
# Depends on base-install-docker
|
||||||
# Installs Komodo Periphery, Telegraf and Certbot
|
# Installs Komodo Periphery, Telegraf, sops and step-ca
|
||||||
variant: fcos
|
variant: fcos
|
||||||
version: 1.6.0
|
version: 1.6.0
|
||||||
|
|
||||||
@@ -10,7 +10,14 @@ storage:
|
|||||||
name: core
|
name: core
|
||||||
group:
|
group:
|
||||||
name: docker
|
name: docker
|
||||||
|
# Create sops config directory
|
||||||
|
- path: /var/home/core/.config/sops/age
|
||||||
|
user:
|
||||||
|
name: core
|
||||||
|
group:
|
||||||
|
name: core
|
||||||
files:
|
files:
|
||||||
|
# Configure telegraf
|
||||||
- path: /var/docker/.supporting-services/telegraf/telegraf.conf
|
- path: /var/docker/.supporting-services/telegraf/telegraf.conf
|
||||||
user:
|
user:
|
||||||
name: core
|
name: core
|
||||||
@@ -18,6 +25,7 @@ storage:
|
|||||||
name: docker
|
name: docker
|
||||||
contents:
|
contents:
|
||||||
source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/telegraf.conf
|
source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/telegraf.conf
|
||||||
|
# Add docker compose file
|
||||||
- path: /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/docker-compose.yml
|
- path: /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/docker-compose.yml
|
||||||
user:
|
user:
|
||||||
name: core
|
name: core
|
||||||
@@ -25,6 +33,7 @@ storage:
|
|||||||
name: docker
|
name: docker
|
||||||
contents:
|
contents:
|
||||||
source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/docker-compose.yml
|
source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/docker-compose.yml
|
||||||
|
# Add .env file
|
||||||
- path: /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/.env
|
- path: /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/.env
|
||||||
user:
|
user:
|
||||||
name: core
|
name: core
|
||||||
@@ -32,15 +41,21 @@ storage:
|
|||||||
name: docker
|
name: docker
|
||||||
contents:
|
contents:
|
||||||
source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/.env
|
source: https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/.env
|
||||||
|
- path: /var/home/core/.bashrc
|
||||||
|
append:
|
||||||
|
# Add step alias
|
||||||
|
- inline: "alias step='docker run --rm -v /var/home/core:/home/step -e STEPPATH=/home/step/.step smallstep/step-cli step'"
|
||||||
|
# Add sops alias
|
||||||
|
- inline: "alias sops='docker run --rm -it -v /var/home/core:/root -v /var/docker:/var/docker ghcr.io/getsops/sops:v3.11.0'"
|
||||||
|
|
||||||
systemd:
|
systemd:
|
||||||
units:
|
units:
|
||||||
# Install supporting services
|
# Bootstrap step-ca
|
||||||
- name: rpm-ostree-install-supporting-services.service
|
- name: bootstrap-step-ca.service
|
||||||
enabled: true
|
enabled: true
|
||||||
contents: |
|
contents: |
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Install Supporting Services
|
Description=Bootstrap step-ca
|
||||||
Wants=network-online.target
|
Wants=network-online.target
|
||||||
After=rpm-ostree-install-docker-ce.service
|
After=rpm-ostree-install-docker-ce.service
|
||||||
Before=zincati.service
|
Before=zincati.service
|
||||||
@@ -49,7 +64,7 @@ systemd:
|
|||||||
[Service]
|
[Service]
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
ExecStart=/usr/bin/docker compose -p "supporting-services" --env-file /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/.env -f /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/docker-compose.yml up -d
|
ExecStart=/usr/bin/docker run --rm -v ${HOME}:/home/step -e STEPPATH=/home/step/.step smallstep/step-cli step ca bootstrap --team mtls --team-url "https://mrmeeb.co.uk/step/<>"
|
||||||
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|||||||
@@ -12,6 +12,15 @@
|
|||||||
"user": {
|
"user": {
|
||||||
"name": "core"
|
"name": "core"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"group": {
|
||||||
|
"name": "core"
|
||||||
|
},
|
||||||
|
"path": "/var/home/core/.config/sops/age",
|
||||||
|
"user": {
|
||||||
|
"name": "core"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"files": [
|
"files": [
|
||||||
@@ -50,15 +59,28 @@
|
|||||||
"contents": {
|
"contents": {
|
||||||
"source": "https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/.env"
|
"source": "https://git.mrmeeb.stream/mrmeeb-labs/supporting-services/raw/branch/main/.env"
|
||||||
}
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"path": "/var/home/core/.bashrc",
|
||||||
|
"append": [
|
||||||
|
{
|
||||||
|
"compression": "",
|
||||||
|
"source": "data:,alias%20step%3D'docker%20run%20--rm%20-v%20%2Fvar%2Fhome%2Fcore%3A%2Fhome%2Fstep%20-e%20STEPPATH%3D%2Fhome%2Fstep%2F.step%20smallstep%2Fstep-cli%20step'"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"compression": "",
|
||||||
|
"source": "data:,alias%20sops%3D'docker%20run%20--rm%20-it%20-v%20%2Fvar%2Fhome%2Fcore%3A%2Froot%20-v%20%2Fvar%2Fdocker%3A%2Fvar%2Fdocker%20ghcr.io%2Fgetsops%2Fsops%3Av3.11.0'"
|
||||||
|
}
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"systemd": {
|
"systemd": {
|
||||||
"units": [
|
"units": [
|
||||||
{
|
{
|
||||||
"contents": "[Unit]\nDescription=Install Supporting Services\nWants=network-online.target\nAfter=rpm-ostree-install-docker-ce.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker compose -p \"supporting-services\" --env-file /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/.env -f /var/docker/.supporting-services/komodo/repos/mrmeeb-labs/supporting-services/docker-compose.yml up -d\nExecStart=/usr/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target",
|
"contents": "[Unit]\nDescription=Bootstrap step-ca\nWants=network-online.target\nAfter=rpm-ostree-install-docker-ce.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/docker run --rm -v ${HOME}:/home/step -e STEPPATH=/home/step/.step smallstep/step-cli step ca bootstrap --team mtls --team-url \"https://mrmeeb.co.uk/step/\u003c\u003e\"\nExecStart=/usr/bin/touch /var/lib/%N.stamp\n\n[Install]\nWantedBy=multi-user.target",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
"name": "rpm-ostree-install-supporting-services.service"
|
"name": "bootstrap-step-ca.service"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ variant: fcos
|
|||||||
version: 1.6.0
|
version: 1.6.0
|
||||||
storage:
|
storage:
|
||||||
files:
|
files:
|
||||||
|
# Make the device wary of updating, and do maintenance early in the weekend mornings
|
||||||
- path: /etc/zincati/config.d/51-rollout-wariness.toml
|
- path: /etc/zincati/config.d/51-rollout-wariness.toml
|
||||||
contents:
|
contents:
|
||||||
inline: |
|
inline: |
|
||||||
@@ -19,6 +20,48 @@ storage:
|
|||||||
|
|
||||||
systemd:
|
systemd:
|
||||||
units:
|
units:
|
||||||
|
# Disable SSH (so Ansible waits until config has completed before continuing)
|
||||||
|
- name: ignition-start-config.service
|
||||||
|
enabled: true
|
||||||
|
contents: |
|
||||||
|
[Unit]
|
||||||
|
Description=Block SSH during configuration
|
||||||
|
After=network-online.target
|
||||||
|
Before=zincati.service
|
||||||
|
ConditionPathExists=!/var/lib/%N.stamp
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/bin/systemctl stop sshd
|
||||||
|
ExecStart=/usr/bin/systemctl disable sshd
|
||||||
|
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
||||||
|
ExecStart=/usr/bin/echo "SSH currently disabled until configuration completes" | /usr/bin/tee /etc/issue.d/35-ssh-blocked.issue
|
||||||
|
ExecStart=/usr/bin/systemctl restart getty@tty1
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
# Enable SSH once configuration has finished so Ansible can continue
|
||||||
|
- name: ignition-finish-config.service
|
||||||
|
enabled: true
|
||||||
|
contents: |
|
||||||
|
[Unit]
|
||||||
|
Description=Enable SSH after configuration
|
||||||
|
After=zincati.service
|
||||||
|
ConditionPathExists=!/var/lib/%N.stamp
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/bin/systemctl start sshd
|
||||||
|
ExecStart=/usr/bin/systemctl enable sshd
|
||||||
|
ExecStart=/usr/bin/touch /var/lib/%N.stamp
|
||||||
|
ExecStart=/usr/bin/rm /etc/issue.d/35-ssh-blocked.issue
|
||||||
|
ExecStart=/usr/bin/systemctl restart getty@tty1
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
|
||||||
# Install qemu-guest-agent
|
# Install qemu-guest-agent
|
||||||
- name: rpm-ostree-install-qemu-guest-agent.service
|
- name: rpm-ostree-install-qemu-guest-agent.service
|
||||||
enabled: true
|
enabled: true
|
||||||
@@ -26,7 +69,7 @@ systemd:
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Install QEMU Guest Agent
|
Description=Install QEMU Guest Agent
|
||||||
Wants=network-online.target
|
Wants=network-online.target
|
||||||
After=network-online.target
|
After=ignition-start-config.service
|
||||||
Before=zincati.service
|
Before=zincati.service
|
||||||
ConditionPathExists=!/var/lib/%N.stamp
|
ConditionPathExists=!/var/lib/%N.stamp
|
||||||
|
|
||||||
|
|||||||
@@ -23,7 +23,17 @@
|
|||||||
"systemd": {
|
"systemd": {
|
||||||
"units": [
|
"units": [
|
||||||
{
|
{
|
||||||
"contents": "[Unit]\nDescription=Install QEMU Guest Agent\nWants=network-online.target\nAfter=network-online.target\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree install qemu-guest-agent\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target",
|
"contents": "[Unit]\nDescription=Block SSH during configuration\nAfter=network-online.target\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl stop sshd\nExecStart=/usr/bin/systemctl disable sshd\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/echo \"SSH currently disabled until configuration completes\" | /usr/bin/tee /etc/issue.d/35-ssh-blocked.issue\nExecStart=/usr/bin/systemctl restart getty@tty1\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||||
|
"enabled": true,
|
||||||
|
"name": "ignition-start-config.service"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"contents": "[Unit]\nDescription=Enable SSH after configuration\nAfter=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/systemctl start sshd\nExecStart=/usr/bin/systemctl enable sshd\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/rm /etc/issue.d/35-ssh-blocked.issue\nExecStart=/usr/bin/systemctl restart getty@tty1\n\n[Install]\nWantedBy=multi-user.target\n",
|
||||||
|
"enabled": true,
|
||||||
|
"name": "ignition-finish-config.service"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"contents": "[Unit]\nDescription=Install QEMU Guest Agent\nWants=network-online.target\nAfter=ignition-start-config.service\nBefore=zincati.service\nConditionPathExists=!/var/lib/%N.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/rpm-ostree install qemu-guest-agent\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target",
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
"name": "rpm-ostree-install-qemu-guest-agent.service"
|
"name": "rpm-ostree-install-qemu-guest-agent.service"
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user