update shoelaces binary to support talos

estenrye · Jan 2, 2023 · c765edd · c765edd
1 parent 6b5ed9c
commit c765edd
Show file tree

Hide file tree

Showing 8 changed files with 59 additions and 7 deletions.
diff --git a/ansible/playbooks/tools.rye.ninja/inventory.yml b/ansible/playbooks/tools.rye.ninja/inventory.yml
@@ -11,6 +11,7 @@ tools_server:
       httpd_modules:
         - proxy
         - proxy_http
+        - remoteip
         - headers
       httpd_sites_enabled:
         - site: 000-default.conf
@@ -38,7 +39,8 @@ tools_server:
               allowOverride: None
               require: all granted
           proxyPreserveHost: true
-          requestHeader: set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+          requestHeaders:
+            - set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
           proxyPass:
             - from: /
               to: http://127.0.0.1:30083/
@@ -69,7 +71,8 @@ tools_server:
         - site: 102-pihole.conf
           host: pihole.tools.rye.ninja
           proxyPreserveHost: true
-          requestHeader: set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+          requestHeaders:
+            - set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
           proxyPass:
             - from: /
               to: http://127.0.0.1:30085/
@@ -115,3 +118,9 @@ tools_server:
               bios_type: bios
               hostname: zbox-01.usmnblm01.rye.ninja
               password_hash: "{{ default_automation_user_passwordhash | urlencode }}"
+        - network: 10.5.11.2/32
+          script:
+            name: talos.ipxe
+            params:
+              arch: amd64
+              hostname: zbox-02.usmnblm01.rye.ninja
diff --git a/ansible/playbooks/tools.rye.ninja/playbook.yml b/ansible/playbooks/tools.rye.ninja/playbook.yml
@@ -117,6 +117,7 @@
     - netbox
     - tftp
     - httpd
+    - shoelaces
 
 - hosts: tools_server
   roles:

diff --git a/ansible/roles/httpd/templates/site.conf.j2 b/ansible/roles/httpd/templates/site.conf.j2
@@ -14,7 +14,7 @@
   ServerAdmin {{ site.serverAdmin }}
 {% endif %}
 
-{% if site.proxyPreserveHost is defined and site.proxyPreserveHost %}
+{% if site.proxyPreserveHost | default(false) %}
   ProxyPreserveHost On
 {% endif %}
 
@@ -67,10 +67,34 @@ SSLCertificateKeyFile {{ ssl.key }}
   # following line enables the CGI configuration for this host only
   # after it has been globally disabled with "a2disconf".
   #Include conf-available/serve-cgi-bin.conf
-
-{% if site.requestHeader is defined %}
-  RequestHeader {{ site.requestHeader }}
+{% if site.remoteIPHeader is defined %}
+RemoteIPHeader {{ site.remoteIpHeader }}
+{% endif %}
+{% for remoteIPInternalProxy in site.remoteIPInternalProxy | default([]) %}
+RemoteIPInternalProxy {{ remoteIPInternalProxy }}
+{% endfor %}
+{% if site.remoteIPInternalProxyList is defined %}
+RemoteIPInternalProxyList {{ site.remoteIPInternalProxyList }}
+{% endif %}
+{% if site.remoteIPProxiesHeader is defined %}
+RemoteIPProxiesHeader {{ site.remoteIPProxiesHeader }}
+{% endif %}
+{% if site.remoteIPProxyProtocol | default(false) %}
+RemoteIPProxyProtocol On
 {% endif %}
+{% if site.remoteIPProxyProtocolExceptions is defined %}
+RemoteIPProxyProtocolExceptions {{ site.remoteIPProxyProtocolExceptions | join(' ') }}
+{% endif %}
+{% for remoteIPTrustedProxy in  site.RemoteIPTrustedProxys | default([]) %}
+RemoteIPTrustedProxy {{ remoteIPTrustedProxy }}
+{% endfor %}
+{% if site.remoteIPTrustedProxyList is defined %}
+RemoteIPTrustedProxyList {{ site.remoteIPTrustedProxyList }}
+{% endif %}
+
+{% for requestHeader in site.requestHeaders | default([]) %}
+  RequestHeader {{ requestHeader }}
+{% endfor %}
 {% for proxyPass in site.proxyPass | default([]) %}
   ProxyPass {{ proxyPass.from }} {{ proxyPass.to }}
 {% endfor %}

diff --git a/ansible/roles/shoelaces/defaults/main.yml b/ansible/roles/shoelaces/defaults/main.yml
@@ -1,4 +1,4 @@
-shoelaces_version: 1.2.4
+shoelaces_version: 1.2.18
 shoelaces_repo_url: https://github.com/estenrye/shoelaces
 shoelaces_system: "{{ ansible_system | lower }}"
 shoelaces_arch: "{% if ansible_architecture == 'x86_64' %}amd64{% else %}arm64{% endif %}"

diff --git a/ansible/roles/shoelaces/tasks/main.yml b/ansible/roles/shoelaces/tasks/main.yml
@@ -32,6 +32,7 @@
     owner: root
     group: root
   become: true
+  notify: restart shoelaces
 
 - name: create shoelaces configuration directory
   ansible.builtin.file:

diff --git a/ansible/roles/tftp/defaults/main.yml b/ansible/roles/tftp/defaults/main.yml
@@ -11,6 +11,7 @@ image_mirror_dir: "{{ tftp_directory }}/images"
 imagemirror_on_calendar: '*-*-* 02/6:30:00'
 imagemirror_accuracy_sec: 1m
 
+talos_linux_version: v1.3.0
 image_mirrors:
   - name: ubuntu
     mirror: rsync://mirror.math.princeton.edu/pub/ubuntu-iso/
diff --git a/ansible/roles/tftp/files/undionly.shoelaces.kpxe b/ansible/roles/tftp/files/undionly.shoelaces.kpxe
diff --git a/ansible/roles/tftp/tasks/main.yml b/ansible/roles/tftp/tasks/main.yml
@@ -27,6 +27,7 @@
     - "{{ tftp_directory }}/boot"
     - "{{ tftp_directory }}/boot/bios"
     - "{{ tftp_directory }}/boot/efi64"
+    - "{{ tftp_directory }}/boot/talos"
     - "{{ image_mirror_dir }}"
     - "{{ image_mirror_dir }}/bin"
     - "{{ image_mirror_dir }}/status"
@@ -106,6 +107,21 @@
     - src: initrd
       dest: "{{ tftp_directory }}/boot/efi64/initrd"
 
+- name: download talos linux kernel
+  ansible.builtin.get_url:
+    url: https://github.com/siderolabs/talos/releases/download/{{ talos_linux_version }}/{{ talos_kernel_file }}
+    dest: "{{ tftp_directory }}/boot/talos/{{ talos_kernel_file }}"
+    owner: "{{ tftp_user }}"
+    group: "{{ tftp_group }}"
+  become: true
+  loop_control:
+    loop_var: talos_kernel_file
+  loop:
+    - initramfs-amd64.xz
+    - initramfs-arm64.xz
+    - vmlinuz-amd64
+    - vmlinuz-arm64
+
 - name: Create Configuration Files
   ansible.builtin.template:
     src: tftpd-hpa.conf.j2