feat: initial commit

tasks/omni.yaml

@@ -0,0 +1,82 @@
+---
+
+# create directories
+- name: "create omni directories"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: "directory"
+    mode: "0755"
+  loop:
+    - "/mnt/omni"
+    - "/mnt/omni/etcd-vol"
+
+# omni etcd key
+- name: "etcd key"
+  ansible.builtin.copy:
+    dest: "/mnt/omni/omni.asc"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+    content: "{{ omni_etcd_priv_key }}"
+  notify: "restart omni"
+
+# omni domain key
+- name: "link - omni domain key"
+  ansible.builtin.file:
+    src: "/root/.acme.sh/simoncor.net_ecc/simoncor.net.key"
+    dest: "/mnt/omni/omni.key"
+    state: "link"
+
+# omni domain cert
+- name: "link - omni domain cert"
+  ansible.builtin.file:
+    src: "/root/.acme.sh/simoncor.net_ecc/fullchain.cer"
+    dest: "/mnt/omni/omni.pem"
+    state: "link"
+
+# run omni
+- name: "run omni"
+  community.docker.docker_container:
+    container_default_behavior: "no_defaults"
+    detach: "yes"
+    pull: "always"
+    state: "started"
+    name: "pangolin"
+    image: "ghcr.io/siderolabs/omni:v1.1.5"
+    restart_policy: "unless-stopped"
+    network_mode: "host"
+    networks:
+      - name: "omni"
+
+    capabilities:
+      - "NET_ADMIN"
+
+    devices:
+      - "/dev/net/tun"
+
+    volumes:
+      - "/mnt/omni/etcd-vol:/_out/etcd"
+      - "/mnt/omni/omni.asc:/omni.asc"
+      - "/mnt/omni/tls.pem:/tls.crt"
+      - "/mnt/omni/tls.key:/tls.key"
+
+    command: >-
+      --account-id={{ omni_account_uuid }}
+      --name=omni
+      --cert=/tls.crt
+      --key=/tls.key
+      --machine-api-cert=/tls.crt
+      --machine-api-key=/tls.key
+      --private-key-source='file:///omni.asc'
+      --event-sink-port=8091
+      --bind-addr=0.0.0.0:443
+      --machine-api-bind-addr=0.0.0.0:8090
+      --k8s-proxy-bind-addr=0.0.0.0:8100
+      --advertised-api-url="https://api.{{ omni_domain }}"
+      --advertised-kubernetes-proxy-url="https://kube.{{ omni_domain }}:8100"
+      --siderolink-api-advertised-url="https://{{ omni_domain }}:8090"
+      --siderolink-wireguard-advertised-addr="{{ omni_ip }}:50180"
+      --initial-users={{ omni_sso_user }}
+      --auth-auth0-enabled=true
+      --auth-auth0-domain={{ auth0_domain }}
+      --auth-auth0-client-id={{ auth0_client_id }}