Honey swarm first draft

Author: sergioisidoro

ansible/00-init-nodes.yml

@@ -0,0 +1,11 @@
+---
+- hosts: all
+  remote_user: root
+  gather_facts: true
+  tasks:
+    - debug:
+        msg: "Loaded base playbook"
+  roles:
+    - initialize
+    - hardening
+    - docker

ansible/01-setup-swarm.yml

@@ -0,0 +1,157 @@
+---
+###
+# provision-02-docker-swarm playbook
+##
+# Set up the Swarm cluster and put it into the desired state
+#
+# Playbook inspired by https://github.com/nextrevision/ansible-swarm-playbook
+# Big thanks to John Patterson for his work!
+##
+
+    
+# use dockerswarm_advertise_addr instead of iface when ethX has multiple IP addresses
+- hosts: all
+  tasks:
+    - name: define dockerswarm_advertise_addr_string (defined) - PROVIDED
+      set_fact:
+        dockerswarm_advertise_addr_string: "{{ dockerswarm_advertise_addr }}"
+      when: dockerswarm_advertise_addr is defined
+    - name: define dockerswarm_advertise_addr_string (defined) - DEFAULTED TO HOST IP
+      set_fact:
+        dockerswarm_advertise_addr_string: "{{ ansible_ssh_host }}"
+      when: dockerswarm_advertise_addr is not defined
+
+    - name: Get info on Docker Swarm
+      community.docker.docker_swarm_info:
+      ignore_errors: yes
+      register: swarm_node_facts
+
+    - name: Inform about basic flags
+      ansible.builtin.debug:
+        msg: |
+          Was able to talk to docker daemon: {{ swarm_node_facts.can_talk_to_docker }}
+          Docker in Swarm mode: {{ swarm_node_facts.docker_swarm_active }}
+          This is a Manager node: {{ swarm_node_facts.docker_swarm_manager }}
+
+# determine the status of each manager node and break them
+# into two groups:
+#   - dockerswarm_manager_operational (swarm is running and active)
+#   - dockerswarm_manager_bootstrap (host needs to be joined to the cluster)
+- hosts: all:&dockerswarm_manager
+  tasks:
+  
+    - name: Get info on Docker Swarm
+      community.docker.docker_swarm_info:
+      ignore_errors: yes
+      register: swarm_node_facts
+
+    - name: create dockerswarm_manager_operational group
+      add_host:
+        hostname: "{{ item }}"
+        groups: dockerswarm_manager_operational
+      with_items: "{{ ansible_play_hosts | default(play_hosts) }}"
+      when: swarm_node_facts.docker_swarm_active
+      run_once: true
+      changed_when: False
+
+    - name: create dockerswarm_manager_bootstrap group
+      add_host:
+        hostname: "{{ item }}"
+        groups: dockerswarm_manager_bootstrap
+      with_items: "{{ ansible_play_hosts | default(play_hosts) }}"
+      when: not swarm_node_facts.docker_swarm_active
+      run_once: true
+      changed_when: False
+
+# determine the status of each worker node and break them
+# into two groups:
+#   - dockerswarm_worker_operational (host is joined to the swarm cluster)
+#   - dockerswarm_worker_bootstrap (host needs to be joined to the cluster)
+- hosts: all:&dockerswarm_worker
+  tasks:
+    - name: create dockerswarm_worker_operational group
+      add_host:
+        hostname: "{{ item }}"
+        groups: dockerswarm_worker_operational
+      with_items: "{{ ansible_play_hosts | default(play_hosts) }}"
+      when: swarm_node_facts.docker_swarm_active
+      run_once: true
+      changed_when: False
+
+    - name: create dockerswarm_worker_bootstrap group
+      add_host:
+        hostname: "{{ item }}"
+        groups: dockerswarm_worker_bootstrap
+      with_items: "{{ ansible_play_hosts | default(play_hosts) }}"
+      when: not swarm_node_facts.docker_swarm_active
+      run_once: true
+      changed_when: False
+
+# when the dockerswarm_manager_operational group is empty, meaning there
+# are no hosts running swarm, we need to initialize one of the hosts
+# then add it to the dockerswarm_manager_operational group
+- hosts: dockerswarm_manager_bootstrap[0]
+  tasks:
+    - name: initialize swarm cluster
+      command: >
+        docker swarm init
+        --advertise-addr={{ dockerswarm_advertise_addr_string }}:2377
+      when: "'dockerswarm_manager_operational' not in groups"
+      register: bootstrap_first_node
+
+    - name: add initialized host to dockerswarm_manager_operational group  # noqa 503
+      add_host:
+        hostname: "{{ item }}"
+        groups: dockerswarm_manager_operational
+      with_items: "{{ ansible_play_hosts | default(play_hosts) }}"
+      when: bootstrap_first_node.changed
+
+# retrieve the swarm tokens and populate a list of ips listening on
+# the swarm port 2377
+- hosts: dockerswarm_manager_operational[0]
+  vars:
+  tasks:
+    - name: retrieve swarm manager token
+      command: docker swarm join-token -q manager
+      register: dockerswarm_manager_token
+      changed_when: False
+
+    - name: retrieve swarm worker token
+      command: docker swarm join-token -q worker
+      register: dockerswarm_worker_token
+      changed_when: False
+
+    - name: populate list of manager ips from dockerswarm_advertise_addr
+      add_host:
+        hostname: "{{ dockerswarm_advertise_addr_string }}"
+        groups: dockerswarm_manager_ips
+      changed_when: False
+
+    - name: Inform about basic flags
+      ansible.builtin.debug:
+        msg: |
+          {{groups}}
+
+# join the hosts not yet initialized to the swarm cluster
+- hosts: dockerswarm_manager_bootstrap:!dockerswarm_manager_operational
+  vars:
+    token: "{{ hostvars[groups.dockerswarm_manager_operational[0]]['dockerswarm_manager_token']['stdout'] }}"
+  tasks:
+    - name: join manager nodes to cluster # noqa 301
+      command: >
+        docker swarm join
+        --advertise-addr={{ dockerswarm_advertise_addr_string }}:2377
+        --token={{ token }}
+        {{ groups.dockerswarm_manager_ips[0] }}:2377
+
+# join the remaining workers to the swarm cluster
+- hosts: dockerswarm_worker_bootstrap
+  vars:
+    token: "{{ hostvars[groups.dockerswarm_manager_operational[0]]['dockerswarm_worker_token']['stdout'] }}"
+  tasks:
+    - name: join worker nodes to cluster # noqa 301
+      command: >
+        docker swarm join
+        --advertise-addr={{ dockerswarm_advertise_addr_string }}
+        --token={{ token }}
+        {{ groups.dockerswarm_manager_ips[0] }}:2377

ansible/02-deploy-infrastucture.yml

@@ -0,0 +1,23 @@
+
+- hosts: dockerswarm_manager[0] # executed on the first Swarm manager
+  pre_tasks:
+    - name: Create Docker public-network network where all apps talk to traefik
+      docker_network:
+        name: public-network
+        driver: overlay
+
+  roles:
+    # TRAEFIK
+    - role: docker-stack
+      tags:
+        - stack-traefik
+      vars:
+        docker_stack_name: traefik
+
+    # PORTAINER
+    - role: docker-stack
+      tags:
+        - portainer
+      vars:
+        docker_stack_name: portainer
+      when: deploly_portainer

ansible/group_vars/.gitignore

@@ -0,0 +1,2 @@
+localhost_bindmounts.yml
+*_overrides.yml

ansible/group_vars/all.yml

@@ -0,0 +1,52 @@
+---
+###
+# Variables default values
+##
+# We recommend to use production values here
+# These variables can be overridden later in other group_vars files
+#
+# Here is the Ansible groups structure:
+#  all
+#  ├── production
+#  ├── staging
+#  └── any_other_remote_environment...
+#
+# Each group has its "_overrides" counterpart, which enables you to override
+#  some variables locally in a xxx_overrides.yml file, which is not versionned
+# Have a look at .sample.yml files to see some examples
+##
+
+## Additional software that is going to be installed on all the nodes
+## to facilitate your life managing them when you need to SSH them
+additional_packages:
+  - vim
+  - htop
+
+
+# Add the names of the users who will have root ssh access to all nodes,
+# and then add a public key to pubkeys with the file named for each user
+# eg. 
+# users: 
+#  - sergio
+
+users:
+
+# Domains
+domains:
+  main: "yourdomain.tld" # REPLACE THIS
+
+
+# Enable traefik ACME feature
+# If enabled, traefik will use Let's Encrypt to get an SSL certificate automatically
+# Should be disabled only on local environments (localhost or vagrant)
+letsencrypt: True
+letsencrypt_email: admin@{{ domains.main }}
+
+
+# geerlingguy.docker role configuration
+docker_edition: ce
+
+
+#### CORE
+
+deploly_portainer: true

ansible/inventories/production_example

@@ -0,0 +1,10 @@
+## SPECIFY ALL THE NODES HERE
+[nodes]
+node-1 ansible_user=root ansible_host=NODE_IP ansible_port=22
+node-2 ansible_user=root ansible_host=NODE_IP ansible_port=22 dockerswarm_advertise_addr=<INTERNAL_IP>
+
+[dockerswarm_manager]
+node-1
+
+[dockerswarm_worker]
+node-2

ansible/provision.yml

@@ -0,0 +1,13 @@
+---
+###
+# provision playbook
+##
+
+- import_playbook: 00-init-nodes.yml
+  tags: [setup]
+
+- import_playbook: 01-setup-swarm.yml
+  tags: [docker]
+
+- import_playbook: 02-deploy-infrastucture.yml
+  tags: [infrastructure]

ansible/pubkeys/.gitkeep

@@ -0,0 +1,10 @@
+---
+collections:
+  - name: ansible.posix
+
+roles:
+- src: geerlingguy.pip
+  version: 2.1.0
+
+- src: geerlingguy.docker
+  version: 4.1.1

ansible/requirements.yml

@@ -0,0 +1,33 @@
+---
+# Based on ansible-lint config
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable