ben
/
mgmt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
mgmt/ansible/test-semaphore-config.yml

97 lines
2.7 KiB
YAML
Raw Permalink Blame History

---
# 测试本机 semaphore 的偷梁换柱功能
- name: 测试 Ansible 偷梁换柱 - 修复 semaphore 不安全配置
hosts: localhost
become: yes
tasks:
- name: 备份当前配置
copy:
src: /etc/nomad.d/nomad.hcl
dest: /etc/nomad.d/nomad.hcl.backup.{{ ansible_date_time.epoch }}
backup: yes
- name: 创建安全的 semaphore 配置
copy:
content: |
datacenter = "dc1"
data_dir = "/opt/nomad/data"
plugin_dir = "/opt/nomad/plugins"
log_level = "INFO"
name = "semaphore"
# 安全绑定 - 只绑定到 Tailscale 接口
bind_addr = "semaphore.tailnet-68f9.ts.net"
addresses {
http = "semaphore.tailnet-68f9.ts.net"
rpc = "semaphore.tailnet-68f9.ts.net"
serf = "semaphore.tailnet-68f9.ts.net"
}
advertise {
http = "semaphore.tailnet-68f9.ts.net:4646"
rpc = "semaphore.tailnet-68f9.ts.net:4647"
serf = "semaphore.tailnet-68f9.ts.net:4648"
}
ports {
http = 4646
rpc = 4647
serf = 4648
}
server {
enabled = true
server_join {
retry_join = [
"semaphore.tailnet-68f9.ts.net:4647",
"ash1d.tailnet-68f9.ts.net:4647",
"ash2e.tailnet-68f9.ts.net:4647",
"ch2.tailnet-68f9.ts.net:4647",
"ch3.tailnet-68f9.ts.net:4647",
"onecloud1.tailnet-68f9.ts.net:4647",
"de.tailnet-68f9.ts.net:4647"
]
}
}
# 安全的 Consul 配置
consul {
address = "127.0.0.1:8500"
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
vault {
enabled = false
}
telemetry {
collection_interval = "1s"
disable_hostname = false
prometheus_metrics = true
publish_allocation_metrics = true
publish_node_metrics = true
}
dest: /etc/nomad.d/nomad.hcl
backup: yes
notify: restart nomad
- name: 验证配置文件语法
command: nomad config validate /etc/nomad.d/nomad.hcl
register: config_validation
- name: 显示验证结果
debug:
msg: "配置验证结果: {{ config_validation.stdout }}"
handlers:
- name: restart nomad
systemd:
name: nomad
state: restarted
daemon_reload: yes
Reference in New Issue View Git Blame Copy Permalink