blob: 33b4d70f08bfd00fd56c95397987d86776c43e35 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
---
- name: Include ufw role
include_role:
name: ufw
# Only adds ports does not delete.
# ufw reset is required for a fresh ufw deploy (-e firewall_reset=y).
- name: Open firewall ports
ufw:
rule: allow
proto: tcp
port: "{{item.port}}"
src: "{{item.src}}"
with_items:
- {port: 2375, src: '{{ jenkins_ip }}' } # Jenkins master
- {port: 2375, src: '{{ jenkins_ip_staging }}' } # Jenkins master
- {port: 16509, src: '172.17.0.0/24'}
- name: Open firewall port for Nexus
ufw:
rule: allow
proto: tcp
port: "{{item}}"
with_items:
- 80
- 443
when: ansible_hostname == 'x86-64-08'
- name: flush handlers so UFW is restarted before docker is installed
meta: flush_handlers
- name: Create directory for docker service supplementary config
file:
path: /etc/systemd/system/docker.service.d
owner: root
group: root
mode: 0755
state: directory
- name: Create TLS host certificate for Docker
local_action:
module: command ./create_cert {{inventory_hostname}} {{ansible_host}}
args:
creates: "{{inventory_hostname}}-cert.pem"
chdir: secrets/files/docker-tls/
become: false
- name: Install Docker TLS certificate
copy:
src: secrets/files/docker-tls/{{item}}
dest: /etc/ssl/certs/{{item}}
with_items:
- ca.pem
- "{{inventory_hostname}}-key.pem"
- "{{inventory_hostname}}-cert.pem"
notify:
- reload-systemd
- restart-docker
ignore_errors: '{{ ansible_check_mode }}'
- name: Configure docker to listen on TCP with TLS authentication
template:
src: docker.service.conf.j2
dest: /etc/systemd/system/docker.service.d/docker.conf
owner: root
group: root
mode: 0644
notify:
- reload-systemd
- restart-docker
- name: Install openjdk for Jenkins slave
apt:
name: "{{packages}}"
update_cache: yes
vars:
packages:
- openjdk-11-jdk-headless
- openjdk-11-jre-headless
- name: Set system to use openjdk by default
alternatives:
name: java
path: /usr/lib/jvm/java-11-openjdk-amd64/bin/java
- name: Install extra deps
apt: pkg={{item}} state=present
with_items:
- smartmontools
- unzip
- name: Append Systems team to docker group
user: name={{item}} groups=docker append=yes
with_items: "{{docker_group_user}}"
- name: Copy ssh files for docker
copy:
src: files/docker_ssh/
dest: /srv/docker/ssh
owner: "1000"
group: "1000"
mode: 0600
- name: Create .ssh directory
file:
path: /home/buildslave/.ssh/
state: directory
owner: buildslave
group: primary
mode: 0700
- name: Copy ssh host key for system
copy:
src: files/docker_ssh/buildslave.known_hosts
dest: /etc/ssh/ssh_known_hosts
owner: root
group: root
mode: 0444
- name: Set up docker ssh config
template:
src: buildslave.config
dest: /srv/docker/ssh/buildslave.config
owner: 1000
group: 1000
mode: 0600
- name: Load modules needed for CI jobs
copy:
src: linaro-modules.conf
dest: /etc/modules-load.d/linaro-modules.conf
- name: Ensure Buildslave srv directory exists
file:
path: /home/buildslave/srv
owner: 1000
group: 1000
state: directory
|