SUNET/rut-prod-ops
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added some scripts and firewall rules for naemon

Browse source
This commit is contained in:
Rasmus Thorslund 2025-02-11 08:39:27 +01:00
parent 41004c484b
commit e86ee48916
No known key found for this signature in database
GPG key ID: 502D33332E9E305D
8 changed files with 73 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
ansible/playbooks/cosmos_lock.yaml Normal file
View file

@ -0,0 +1,12 @@
---
- name: Create a file to pause Cosmos
hosts: all
become: yes
tasks:
- name: Ensure the file /etc/no-automatic-cosmos exists with specific content
ansible.builtin.copy:
dest: /etc/no-automatic-cosmos
content: "Cosmos paused by Ansible\n"
owner: root
group: root
mode: '0644'

9
ansible/playbooks/cosmos_unlock.yaml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Remove the file to resume Cosmos
hosts: all
become: yes
tasks:
- name: Remove the file /etc/no-automatic-cosmos if it exists
ansible.builtin.file:
path: /etc/no-automatic-cosmos
state: absent

13
ansible/playbooks/cosmos_unlock_run.yaml Normal file
View file

@ -0,0 +1,13 @@
---
- name: Remove the no_automatic_cosmos and run cosmos.s
hosts: all
become: yes
serial: 1
tasks:
- name: Remove the file /etc/no-automatic-cosmos if it exists
ansible.builtin.file:
path: /etc/no-automatic-cosmos
state: absent
- name: Run cosmos
ansible.builtin.command: scriptherder --mode wrap --syslog --name cosmos -- /usr/local/bin/run-cosmos --random-sleep -v

4
kubernetes.tf
View file

@ -203,7 +203,7 @@ resource "openstack_compute_instance_v2" "controller-nodes" {
name = "${var.controller_name}-${count.index}.${var.dns_suffix}" name = "${var.controller_name}-${count.index}.${var.dns_suffix}"
flavor_name = "${var.controller_instance_type}" flavor_name = "${var.controller_instance_type}"
key_pair = "thorslund" key_pair = "thorslund"
security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts"] security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "naemon"]
block_device { block_device {
@ -226,7 +226,7 @@ resource "openstack_compute_instance_v2" "worker-nodes" {
name = "${var.worker_name}-${count.index}.${var.dns_suffix}" name = "${var.worker_name}-${count.index}.${var.dns_suffix}"
flavor_name = "${var.worker_instance_type}" flavor_name = "${var.worker_instance_type}"
key_pair = "thorslund" key_pair = "thorslund"
security_groups = ["microk8s", "Allow SSH from SUNET jumphosts"] security_groups = ["microk8s", "Allow SSH from SUNET jumphosts", "naemon"]
block_device { block_device {
uuid = "5d24aca9-11be-4de1-9770-4a097d68f361" uuid = "5d24aca9-11be-4de1-9770-4a097d68f361"

19
main.tf
View file

@ -47,7 +47,7 @@ resource "openstack_networking_secgroup_rule_v2" "naemon_rule3" {
resource "openstack_networking_secgroup_rule_v2" "naemon_rule4" { resource "openstack_networking_secgroup_rule_v2" "naemon_rule4" {
direction = "ingress" direction = "ingress"
ethertype = "IPv6" ethertype = "IPv6"
protocol = "icmp" protocol = "ipv6-icmp"
remote_group_id = openstack_networking_secgroup_v2.naemon.id remote_group_id = openstack_networking_secgroup_v2.naemon.id
security_group_id = openstack_networking_secgroup_v2.naemon.id security_group_id = openstack_networking_secgroup_v2.naemon.id
} }
@ -84,6 +84,23 @@ resource "openstack_networking_secgroup_rule_v2" "naemon_rule8" {
remote_ip_prefix = "2001:6b0:6c::37f/128" remote_ip_prefix = "2001:6b0:6c::37f/128"
security_group_id = openstack_networking_secgroup_v2.naemon.id security_group_id = openstack_networking_secgroup_v2.naemon.id
} }
resource "openstack_networking_secgroup_rule_v2" "naemon_rule9" {
direction = "ingress"
ethertype = "IPv4"
protocol = "icmp"
remote_ip_prefix = "109.105.111.111/32"
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_rule_v2" "naemon_rule10" {
direction = "ingress"
ethertype = "IPv6"
protocol = "ipv6-icmp"
remote_ip_prefix = "2001:948:4:6::111/128"
security_group_id = openstack_networking_secgroup_v2.naemon.id
}
resource "openstack_networking_secgroup_v2" "https" { resource "openstack_networking_secgroup_v2" "https" {
name = "https" name = "https"
description = "Traffic to allow between microk8s hosts" description = "Traffic to allow between microk8s hosts"

2
pgcluster.tf
View file

@ -3,7 +3,7 @@ resource "openstack_compute_instance_v2" "pg-nodes" {
name = "${var.pgcluster_name}-${count.index}.${var.dns_suffix}" name = "${var.pgcluster_name}-${count.index}.${var.dns_suffix}"
flavor_name = "${var.pgcluster_instance_type}" flavor_name = "${var.pgcluster_instance_type}"
key_pair = "thorslund" key_pair = "thorslund"
security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts"] security_groups = ["https", "microk8s", "Allow SSH from SUNET jumphosts", "naemon"]
block_device { block_device {

8
reboot_cluster.sh Normal file
View file

@ -0,0 +1,8 @@
#!/bin/bash
for host in *{spg,sc,sw}*.sunet.se; do
echo "Rebooting $host"
ssh $host 'systemctl reboot'
done

10
ssh_command_cluster.sh Executable file
View file

@ -0,0 +1,10 @@
#!/bin/bash
COMMAND=$1
for host in *{spg,sc,sw}*.sunet.se; do
echo "Running command: $COMMAND on $host"
ssh $host $COMMAND
done