ansible: Provision b-hel-fi base spec

the-maldridge · the-maldridge · commit 359e42f711cf · 2021-06-11T01:43:31.000-07:00
diff --git a/ansible/group_vars/prod.yml b/ansible/group_vars/prod.yml
@@ -73,6 +73,7 @@ void_mesh:
   e-sfo3-us.m.voidlinux.org: 192.168.99.109
   f-sfo3-us.m.voidlinux.org: 192.168.99.111
   a-fsn-de.m.voidlinux.org: 192.168.99.112
+  b-hel-fi.m.voidlinux.org: 192.168.99.113
 
 consul_servers:
   - 192.168.99.104
diff --git a/ansible/host_vars/b-hel-fi.m.voidlinux.org.yml b/ansible/host_vars/b-hel-fi.m.voidlinux.org.yml
@@ -0,0 +1,23 @@
+---
+network_interfaces:
+  - name: eth0
+    mode: static
+    mode6: static
+    resolvermode: static
+    resolvermode6: disabled
+    addresses:
+      - 65.21.160.177/32
+    resolvers:
+      - 8.8.8.8
+    routers:
+      - 135.181.18.178
+    addresses6:
+      - 2a01:4f9:4b:42dc::d01/64
+
+xbps_repository_address: alpha.de.repo.voidlinux.org
+xbps_repository_main: http://{{ xbps_repository_address }}/current/musl
+xbps_repository_nonfree: http://{{ xbps_repository_address }}/current/musl/nonfree
+xbps_repository_multilib: http://{{ xbps_repository_address }}/current/musl/multilib
+xbps_repository_multilib_nonfree: http://{{ xbps_repository_address }}/current/musl/multilib/nonfree
+
+netlogon_use_cache: false
diff --git a/ansible/inventory b/ansible/inventory
@@ -34,6 +34,7 @@ a-sfo3-us.m.voidlinux.org
 [netlogon]
 vm1.a-mci-us.m.voidlinux.org
 a-hel-fi.m.voidlinux.org
+b-hel-fi.m.voidlinux.org
 a-fsn-de.m.voidlinux.org
 b-lej-de.m.voidlinux.org
 c-lej-de.m.voidlinux.org
@@ -57,6 +58,7 @@ d-sfo3-us.m.voidlinux.org
 
 [hashiworker]
 a-hel-fi.m.voidlinux.org
+b-hel-fi.m.voidlinux.org
 a-fsn-de.m.voidlinux.org
 b-lej-de.m.voidlinux.org
 c-lej-de.m.voidlinux.org
@@ -73,6 +75,7 @@ a-lej-de.m.voidlinux.org
 
 [prod]
 a-hel-fi.m.voidlinux.org
+b-hel-fi.m.voidlinux.org
 a-mci-us.m.voidlinux.org
 a-fsn-de.m.voidlinux.org
 a-lej-de.m.voidlinux.org
diff --git a/ansible/roles/netlogon/defaults/main.yml b/ansible/roles/netlogon/defaults/main.yml
@@ -1,2 +1,4 @@
 ---
 netlogon_maintenance_user: maintenance
+
+netlogon_use_cache: true
diff --git a/ansible/roles/netlogon/tasks/main.yml b/ansible/roles/netlogon/tasks/main.yml
@@ -35,8 +35,14 @@
       - NetKeys
       - NetAuth-localizer
       - NetAuth-pam-helper
+    state: present
+
+- name: Install PAM Cache
+  xbps:
+    pkg:
       - libpam-policycache
     state: present
+  when: netlogon_use_cache
 
 - name: Install localize Service (1/2)
   file:
@@ -66,9 +72,10 @@
     owner: root
     group: root
     mode: 0644
+  when: netlogon_use_cache
 
 - name: Configure PAM
-  copy:
+  template:
     src: system-auth
     dest: /etc/pam.d/system-auth
     owner: root
diff --git a/ansible/roles/netlogon/templates/system-auth b/ansible/roles/netlogon/templates/system-auth
@@ -1,12 +1,20 @@
 #%PAM-1.0
 
+{% if netlogon_use_cache %}
 auth    [success=4 default=ignore] pam_unix.so try_first_pass nullok
 auth    [success=3 default=ignore] pam_policycache.so try_first_pass action=check
 auth    [success=1 default=die] pam_exec.so expose_authtok quiet /usr/bin/pam-helper
 auth    required  pam_deny.so
 auth    [default=ignore] pam_policycache.so action=update
 auth    required  pam_env.so
 auth    required  pam_permit.so
+{% else %}
+auth    [success=2 default=ignore] pam_unix.so try_first_pass nullok
+auth    [success=1 default=die] pam_exec.so expose_authtok quiet /usr/bin/pam-helper
+auth    required  pam_deny.so
+auth    required  pam_env.so
+auth    required  pam_permit.so
+{% endif %}
 
 account   required  pam_unix.so
 account   optional  pam_permit.so
diff --git a/terraform/do/dns.tf b/terraform/do/dns.tf
@@ -45,6 +45,13 @@ resource "digitalocean_record" "a_hel_fi" {
   value  = "95.216.76.97"
 }
 
+resource "digitalocean_record" "b_hel_fi" {
+  domain = digitalocean_domain.voidlinux_org.name
+  type   = "A"
+  name   = "b-hel-fi.m"
+  value  = "65.21.160.177"
+}
+
 resource "digitalocean_record" "a_fsn_de" {
   domain = digitalocean_domain.voidlinux_org.name
   type   = "A"
@@ -245,9 +252,9 @@ resource "digitalocean_record" "repo_alpha_us" {
 
 resource "digitalocean_record" "repo_shadow" {
   domain = digitalocean_domain.voidlinux_org.name
-  type = "CNAME"
-  name = "shadow.repo"
-  value = "b-hel-fi.m.${digitalocean_domain.voidlinux_org.name}."
+  type   = "CNAME"
+  name   = "shadow.repo"
+  value  = "b-hel-fi.m.${digitalocean_domain.voidlinux_org.name}."
 }
 
 ###################################################################
@@ -267,23 +274,23 @@ resource "digitalocean_record" "verification_github" {
 
 
 resource "digitalocean_record" "mtmp_mx" {
-  domain = digitalocean_domain.voidlinux_org.name
-  type = "MX"
-  name = "mtmp"
-  value = "${digitalocean_record.f_sfo3_us.fqdn}."
+  domain   = digitalocean_domain.voidlinux_org.name
+  type     = "MX"
+  name     = "mtmp"
+  value    = "${digitalocean_record.f_sfo3_us.fqdn}."
   priority = 10
 }
 
 resource "digitalocean_record" "mtmp" {
   domain = digitalocean_domain.voidlinux_org.name
-  type = "A"
-  name = "mtmp"
-  value = digitalocean_droplet.f_sfo3_us.ipv4_address
+  type   = "A"
+  name   = "mtmp"
+  value  = digitalocean_droplet.f_sfo3_us.ipv4_address
 }
 
 resource "digitalocean_record" "mtmp_spf" {
   domain = digitalocean_domain.voidlinux_org.name
-  type = "TXT"
-  name = "mtmp"
-  value = "v=spf1 mx -all"
+  type   = "TXT"
+  name   = "mtmp"
+  value  = "v=spf1 mx -all"
 }

-Original file line number
+Diff line change
@@ @@ -1,2 +1,4 @@ @@
 ---
 netlogon_maintenance_user: maintenance
++
 +netlogon_use_cache: true