Add basis of the role

2024-03-01 11:01:15 +01:00 · 2024-03-01 11:01:15 +01:00 · bf077a1cca
parent fef5c8a0ea
commit bf077a1cca
10 changed files with 151 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,16 @@
+---
+# defaults file for hubblo.scaphandre
+
+scaphandre_arch: deb12-arm64
+
+scaphandre_version: 1.0.0
+
+scaphandre_home_dir: /opt/scaphandre
+
+scaphandre_exporter: prometheus
+
+scaphandre_exporter_web_listen_address: localhost
+
+scaphandre_exporter_web_listen_port: "8085"
+
+scaphandre_web_telemetry_path: power-metrics
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1,2 @@
+---
+# handlers file for hubblo.scaphandre
--- a/tasks/check_rapl.yml
+++ b/tasks/check_rapl.yml
@ -0,0 +1,9 @@
+---
+# This file checks for the presence of the intel_rapl_common kernel module, and tries to install it if
+# it's not present on the host machine.
+
+- name: Check for RAPL module
+  community.general.modprobe:
+    name: intel_rapl_common
+    state: present
+    persistent: present
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -0,0 +1,7 @@
+---
+# Installs the scaphandre package and setups the user.
+
+- name: Install the scaphandre package
+  ansible.builtin.apt:
+    deb: https://github.com/hubblo-org/scaphandre/releases/download/v{{ scaphandre_version }}/scaphandre_v{{ scaphandre_version }}-{{ scaphandre_arch }}.deb
+    state: present
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,14 @@
+---
+# tasks file for hubblo.scaphandre
+
+- name: Import the tasks to check for RAPL kernel module presence
+  ansible.builtin.import_tasks:
+    file: check_rapl.yml
+
+- name: Install scaphandre packages
+  ansible.builtin.import_tasks:
+    file: install.yml
+
+- name: Configure and install the systemD service
+  ansible.builtin.import_tasks:
+    file: systemd-service.yml
--- a/tasks/systemd-service.yml
+++ b/tasks/systemd-service.yml
@ -0,0 +1,39 @@
+---
+# Creates the user and setups the systemD service.
+
+- name: Ensure group "scaphandre" exists
+  ansible.builtin.group:
+    name: scaphandre
+    state: present
+
+- name: Create scaphandre user
+  ansible.builtin.user:
+    name: scaphandre
+    groups:
+      - scaphandre
+    append: true
+    create_home: true
+    home: "{{ scaphandre_home_dir }}"
+
+- name: Setup systemD service
+  ansible.builtin.template:
+    src: scaphandre.service.j2
+    dest: /etc/systemd/system/scaphandre.service
+    owner: root
+    group: root
+    mode: "644"
+
+- name: Ensure proper permissions
+  ansible.builtin.file:
+    path: "{{ scaphandre_home_dir }}"
+    state: directory
+    recurse: true
+    owner: scaphandre
+    group: scaphandre
+    mode: u+rwx,g-wx,o-rwx
+
+- name: Ensure scaphandre is running
+  ansible.builtin.systemd_service:
+    state: restarted
+    daemon_reload: true
+    name: scaphandre
--- a/templates/scaphandre.service.j2
+++ b/templates/scaphandre.service.j2
@ -0,0 +1,55 @@
+[Unit]
+Description=Scaphandre
+Documentation=https://github.com/hubblo-org/scaphandre
+Wants=network.target
+After=network.target
+
+[Service]
+IPAddressAllow=localhost
+IPAddressDeny=any
+
+ExecStartPre=-+/usr/sbin/modprobe intel_rapl_common
+ExecStartPre=+/usr/bin/find /sys/devices/virtual/powercap -name energy_uj -exec chmod g+r -R {} + -exec chown root:powercap {} +
+ExecStart=scaphandre {{ scaphandre_exporter }} -a {{ scaphandre_exporter_web_listen_address }} -p {{ scaphandre_exporter_web_listen_port }} -s {{ scaphandre_web_telemetry_path }}
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DevicePolicy=closed
+DynamicUser=yes
+Group=powercap
+IPAccounting=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+MemoryMax=100M
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SyslogIdentifier=scaphandre
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@keyring
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@privileged
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
+UMask=0777
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/tests/inventory
+++ b/tests/inventory
@ -0,0 +1,2 @@
+localhost
+
--- a/tests/test.yml
+++ b/tests/test.yml
@ -0,0 +1,5 @@
+---
+# - hosts: localhost
+#   remote_user: root
+#   roles:
+#     - hubblo.scaphandre
--- a/vars/main.yml
+++ b/vars/main.yml
@ -0,0 +1,2 @@
+---
+# vars file for hubblo.scaphandre