Clustering

defaults/main.yml

@@ -19,3 +19,5 @@ bastion_superadmin_uname: "primaryadmin"  # name of bastion's superadmin account
 # bastion_interactive_mode_timeout: "60"
 # bastion_mfa_password_max_days: "90"
 bastion_initial_users: []
+bastion_initial_groups: []
+bastion_placeholder_hostname: bastion_fact_holder

molecule/clustering/INSTALL.rst

@@ -0,0 +1,23 @@
+*********************************
+Vagrant driver installation guide
+*********************************
+
+Requirements
+============
+
+* Vagrant
+* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop
+
+Install
+=======
+
+Please refer to the `Virtual environment`_ documentation for installation best
+practices. If not using a virtual environment, please consider passing the
+widely recommended `'--user' flag`_ when invoking ``pip``.
+
+.. _Virtual environment: https://virtualenv.pypa.io/en/latest/
+.. _'--user' flag: https://packaging.python.org/tutorials/installing-packages/#installing-to-the-user-site
+
+.. code-block:: bash
+
+    $ pip install 'molecule_vagrant'

molecule/clustering/converge.yml

@@ -0,0 +1,13 @@
+---
+- name: Converge
+  hosts: all
+  become: yes
+  tasks:
+    - name: "Include ansible-ovhbastion"
+      include_role:
+        name: "ansible-ovhbastion"
+      vars:
+        ssh_key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKRhS89ZWIBoQ5FZU2jSKRqQ4l38ghFmm2OCE/ZpmKUg daisy@daisy
+        bastion_name: "test-bastion"
+        bastion_superadmin_uname: ldelelis
+        bastion_sync_user: bastionsync

molecule/clustering/molecule.yml

@@ -0,0 +1,43 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: vagrant
+platforms:
+  - name: bastionprimary
+    box: generic/centos8
+    groups:
+      - bastion
+    children:
+      - bastion_primary
+    interfaces:
+      - network_name: private_network
+        ip: "192.168.22.10"
+  - name: bastionreplica1
+    box: generic/centos8
+    groups:
+      - bastion
+    children:
+      - bastion_replica
+    interfaces:
+      - network_name: private_network
+        ip: "192.168.22.11"
+  - name: bastionreplica2
+    box: generic/centos8
+    groups:
+      - bastion
+    children:
+      - bastion_replica
+    interfaces:
+      - network_name: private_network
+        ip: "192.168.22.12"
+provisioner:
+  name: ansible
+  inventory:
+    group_vars:
+      bastion_primary:
+        bastion_node_role: primary
+      bastion_replica:
+        bastion_node_role: replica
+verifier:
+  name: ansible

molecule/clustering/verify.yml

@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+  - name: Example assertion
+    assert:
+      that: true

tasks/cluster-primary.yml

@@ -0,0 +1,24 @@
+---
+- name: save master pubkey
+  become_user: root
+  slurp:
+    src: ~/.ssh/id_master2slave.pub
+  register: var__master_pubkey
+
+- name: adds dummy host to hold facts
+  add_host:
+    name: "{{ bastion_placeholder_hostname }}"
+    master_pubkey: "{{ var__master_pubkey['content'] | b64decode }}"
+    master_ipv4: "{{ inventory_hostname }}"
+
+- name: configure sync watcher
+  template:
+    src: osh-sync-watcher.sh.j2
+    dest: /etc/bastion/osh-sync-watcher.sh
+    mode: '0644'
+
+- name: enable sync watcher service
+  service:
+    name: osh-sync-watcher
+    enabled: yes
+    state: started

tasks/cluster-replica.yml

@@ -0,0 +1,20 @@
+---
+- name: ensure sync user is present
+  user:
+    name: "{{ bastion_sync_user }}"
+    state: present
+    shell: /bin/bash
+
+- name: install master pubkey in slaves
+  authorized_key:
+    key: "{{ hostvars['bastion_fact_holder']['master_pubkey'] }}"
+    key_options: "from=\"{{ hostvars['bastion_fact_holder']['master_ipv4'] }}\",restrict"
+    user: "{{ bastion_sync_user }}"
+    state: present
+
+- name: disable plugin usage in slave hosts
+  lineinfile:
+    path: /etc/bastion/bastion.conf
+    regexp: '^"readOnlySlaveMode'
+    line: '"readOnlySlaveMode: 1,"'
+    state: present

tasks/main.yml

@@ -118,3 +118,15 @@
 
 - name: run user bootstrap tasks
   include_tasks: users.yml
+
+- name: bootstrap primary clustering node
+  include_tasks: cluster-primary.yml
+  when:
+    - bastion_node_role is defined
+    - bastion_node_role == "primary"
+
+- name: bootstrap replication nodes
+  include_tasks: cluster-replica.yml
+  when:
+    - bastion_node_role is defined
+    - bastion_node_role == "replica"

templates/osh-sync-watcher.sh.j2

@@ -0,0 +1,42 @@
+{% set excluded_hosts = (inventory_hostname, bastion_placeholder_hostname) %}
+# this is a SHELL SCRIPT, it'll be sourced by osh-sync-watcher.sh
+# {{ ansible_managed }}
+#
+# timeout (integer)
+# this will be the maximum delay, in seconds, after which rsync will be launched even if no change was detected
+# example:
+#timeout=120
+timeout=120
+#
+# rshcmd (string)
+# this will be passed as the --rsh parameter of rsync (don't use -p to specify port, use the remotehostlist config instead)
+# example:
+#rshcmd="ssh -q -i /root/.ssh/id_master2slave"
+rshcmd="ssh -q -i /root/.ssh/id_master2slave"
+#
+# remoteuser (string)
+# remote user to connect as while rsyncing
+# example:
+#remoteuser=bastionsync
+remoteuser={{ bastion_sync_user }}
+#
+# remotelist (space-separated list of strings, each string being either 'ip' or 'ip:port')
+# remote hosts to connect to while rsyncing (aka the list of the slave bastions)
+# example:
+#remotehostlist=192.0.2.17
+#remotehostlist='192.0.2.11 192.0.2.12'
+remotehostlist='{{ ansible_play_hosts | reject('in', excluded_hosts) | join(" ") }}'
+#
+# enabled (integer)
+# if set to anything else than 1, the script will not run
+# set this to 1 when you've configured and tested the setup
+enabled=1
+#
+# logdir (string)
+# directory where to log output from the script
+# if unset, will NOT log to a file
+#logdir=/var/log/bastion
+#
+# syslog (string)
+# syslog facility to use, if unset, will NOT log to syslog
+syslog=local6