78 lines
2.7 KiB
HCL
78 lines
2.7 KiB
HCL
# OpenTofu 小王 - 修复不安全的服务器配置
|
|
# terraform 块已在 onecloud1-deploy-clean.tf 中定义
|
|
|
|
# 需要修复的不安全服务器节点
|
|
variable "insecure_servers" {
|
|
type = list(string)
|
|
default = [
|
|
"ash1d",
|
|
"ash2e"
|
|
]
|
|
}
|
|
|
|
# 为每个服务器节点生成安全配置文件
|
|
resource "local_file" "secure_server_configs" {
|
|
for_each = toset(var.insecure_servers)
|
|
|
|
filename = "${path.module}/generated/${each.key}-server-secure.hcl"
|
|
content = replace(
|
|
file("${path.module}/../nomad-configs-tofu/server-template-secure.hcl"),
|
|
"NODE_NAME",
|
|
each.key
|
|
)
|
|
}
|
|
|
|
# 部署安全配置到每个服务器节点
|
|
resource "null_resource" "fix_insecure_servers" {
|
|
for_each = toset(var.insecure_servers)
|
|
|
|
depends_on = [local_file.secure_server_configs]
|
|
|
|
provisioner "local-exec" {
|
|
command = <<EOF
|
|
echo "=== 修复 ${each.key} 的不安全配置 ==="
|
|
echo "开始时间: $(date)"
|
|
|
|
echo "1. 测试连接 ${each.key}..."
|
|
ping -c 1 ${each.key}.tailnet-68f9.ts.net || echo " - ${each.key} ping 失败"
|
|
|
|
echo "2. 上传安全配置文件..."
|
|
sshpass -p '3131' scp -o StrictHostKeyChecking=no -o ConnectTimeout=5 \
|
|
${path.module}/generated/${each.key}-server-secure.hcl \
|
|
ben@${each.key}.tailnet-68f9.ts.net:/tmp/nomad-secure.hcl && echo " - 文件上传成功" || echo " - 文件上传失败"
|
|
|
|
echo "3. 备份旧配置并部署安全配置..."
|
|
sshpass -p '3131' ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 \
|
|
ben@${each.key}.tailnet-68f9.ts.net \
|
|
"echo '=== ${each.key} 安全配置部署开始 ==='; \
|
|
echo '3131' | sudo -S systemctl stop nomad; \
|
|
echo '备份不安全的配置...'; \
|
|
echo '3131' | sudo -S cp /etc/nomad.d/nomad.hcl /etc/nomad.d/nomad.hcl.insecure.backup.\$(date +%Y%m%d_%H%M%S); \
|
|
echo '部署安全配置...'; \
|
|
echo '3131' | sudo -S cp /tmp/nomad-secure.hcl /etc/nomad.d/nomad.hcl; \
|
|
echo '清理 Raft 数据以重新加入集群...'; \
|
|
echo '3131' | sudo -S rm -rf /opt/nomad/data/server/raft/; \
|
|
echo '启动服务...'; \
|
|
echo '3131' | sudo -S systemctl start nomad; \
|
|
sleep 10; \
|
|
echo '检查服务状态...'; \
|
|
echo '3131' | sudo -S systemctl status nomad --no-pager; \
|
|
echo '=== ${each.key} 安全配置部署完成 ==='" && echo " - ${each.key} 安全修复成功" || echo " - ${each.key} 安全修复失败"
|
|
|
|
echo "=== ${each.key} 安全修复完成!时间: $(date) ==="
|
|
EOF
|
|
}
|
|
|
|
triggers = {
|
|
config_hash = local_file.secure_server_configs[each.key].content_md5
|
|
deploy_time = timestamp()
|
|
}
|
|
}
|
|
|
|
output "security_fix_summary" {
|
|
value = {
|
|
fixed_servers = var.insecure_servers
|
|
config_files = [for server in var.insecure_servers : "${server}-server-secure.hcl"]
|
|
deploy_time = timestamp()
|
|
}
|
|
} |