--- # 测试本机 semaphore 的偷梁换柱功能 - name: 测试 Ansible 偷梁换柱 - 修复 semaphore 不安全配置 hosts: localhost become: yes tasks: - name: 备份当前配置 copy: src: /etc/nomad.d/nomad.hcl dest: /etc/nomad.d/nomad.hcl.backup.{{ ansible_date_time.epoch }} backup: yes - name: 创建安全的 semaphore 配置 copy: content: | datacenter = "dc1" data_dir = "/opt/nomad/data" plugin_dir = "/opt/nomad/plugins" log_level = "INFO" name = "semaphore" # 安全绑定 - 只绑定到 Tailscale 接口 bind_addr = "semaphore.tailnet-68f9.ts.net" addresses { http = "semaphore.tailnet-68f9.ts.net" rpc = "semaphore.tailnet-68f9.ts.net" serf = "semaphore.tailnet-68f9.ts.net" } advertise { http = "semaphore.tailnet-68f9.ts.net:4646" rpc = "semaphore.tailnet-68f9.ts.net:4647" serf = "semaphore.tailnet-68f9.ts.net:4648" } ports { http = 4646 rpc = 4647 serf = 4648 } server { enabled = true server_join { retry_join = [ "semaphore.tailnet-68f9.ts.net:4647", "ash1d.tailnet-68f9.ts.net:4647", "ash2e.tailnet-68f9.ts.net:4647", "ch2.tailnet-68f9.ts.net:4647", "ch3.tailnet-68f9.ts.net:4647", "onecloud1.tailnet-68f9.ts.net:4647", "de.tailnet-68f9.ts.net:4647" ] } } # 安全的 Consul 配置 consul { address = "127.0.0.1:8500" server_service_name = "nomad" client_service_name = "nomad-client" auto_advertise = true server_auto_join = true client_auto_join = true } vault { enabled = false } telemetry { collection_interval = "1s" disable_hostname = false prometheus_metrics = true publish_allocation_metrics = true publish_node_metrics = true } dest: /etc/nomad.d/nomad.hcl backup: yes notify: restart nomad - name: 验证配置文件语法 command: nomad config validate /etc/nomad.d/nomad.hcl register: config_validation - name: 显示验证结果 debug: msg: "配置验证结果: {{ config_validation.stdout }}" handlers: - name: restart nomad systemd: name: nomad state: restarted daemon_reload: yes