Add datastore role for validating config of datastore setup

playbooks/configure.yaml

@@ -21,3 +21,5 @@
   roles:
     - role: server
       when: "'server' in skylab_roles | default([])"
+    - role: datastore
+      when: "'datastore' in skylab_roles | default([])"

roles/datastore/tasks/gluster.yaml

@@ -0,0 +1,45 @@
+---
+- name: Allow gluster through firewall
+  become: true
+  ansible.posix.firewalld:
+    service: glusterfs
+    state: enabled
+    zone: trusted
+    immediate: true
+    permanent: true
+
+- name: Create datastore directory
+  become: true
+  ansible.builtin.file:
+    path: /mnt/brick/datastore
+    state: directory
+
+- name: Fetch peer status
+  become: true
+  ansible.builtin.command:
+    cmd: gluster peer status
+  changed_when: false
+  register: _gluster_peer_status_raw
+
+- name: Check peer status
+  ansible.builtin.assert:
+    that:
+      - not _gluster_peer_status_raw.stdout_lines[0].strip().endswith('0')
+    fail_msg: >-
+      ERROR: Datastore host '{{ inventory_hostname }}' is not joined to the gluster pool. Run the
+      command 'gluster peer probe {{ inventory_hostname }}.local' from another datastore host to
+      add it.
+    success_msg: >-
+      Datastore host {{ inventory_hostname }} is joined to the gluster pool
+
+- name: Mount gluster volume
+  become: true
+  ansible.posix.mount:
+    path: /mnt/datastore
+    src: localhost:/datastore
+    state: mounted
+    fstype: glusterfs
+    # Note that this just needs to be any path *other* than the actual
+    # fstab. This is done just to prevent the devices from being
+    # automatically mounted at boot
+    fstab: "{{ skylab_state_dir }}/mounts"

roles/datastore/tasks/main.yaml

@@ -0,0 +1,9 @@
+---
+- name: Install datastore packages
+  ansible.builtin.import_tasks: packages.yaml
+
+- name: Configure mounting
+  ansible.builtin.import_tasks: mounts.yaml
+
+- name: Configure glusterfs
+  ansible.builtin.import_tasks: gluster.yaml

roles/datastore/tasks/mounts.yaml

@@ -0,0 +1,108 @@
+---
+- name: Create mount points
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: "{{ ansible_user }}"
+  loop:
+    - /mnt/datastore
+    - /mnt/brick
+
+- name: Determine current mounts
+  vars:
+    _current_mounts: []
+  ansible.builtin.set_fact:
+    _current_mounts: "{{ _current_mounts + [item.mount] }}"
+  loop: "{{ ansible_mounts }}"
+  loop_control:
+    label: "{{ item.mount }}"
+
+- name: Ensure mount points are empty when unmounted
+  when: item not in _current_mounts
+  ansible.builtin.command:
+    cmd: "/usr/bin/ls {{ item }}"
+  changed_when: false
+  failed_when: _mountpoint_ls_raw.stdout
+  register: _mountpoint_ls_raw
+  loop:
+    - /mnt/datastore
+    - /mnt/brick
+
+- name: Fetch block device information
+  ansible.builtin.command:
+    cmd: lsblk /dev/{{ skylab_datastore_device }} --fs --json
+  changed_when: false
+  register: _lsblk_info_raw
+
+- name: Process block device information
+  ansible.builtin.set_fact:
+    _datastore_device_info: "{{ (_lsblk_info_raw.stdout | from_json).blockdevices[0] }}"
+
+- name: Check state of the datastore device
+  ansible.builtin.assert:
+    that: _datastore_device_info.fstype == "crypto_LUKS"
+    fail_msg: >-
+      ERROR: Datastore block device {{ inventory_hostname }}:/dev/{{ skylab_datastore_device }}
+      must be LUKS encrypted
+    success_msg: >-
+      Datastore block device {{ inventory_hostname }}:/dev/{{ skylab_datastore_device }} is
+      LUKS encrypted
+
+- name: Determine whether datastore block is decrypted
+  ansible.builtin.set_fact:
+    _datastore_device_is_decrypted: "{{ _datastore_device_info.children is defined }}"
+
+- name: Decrypt datastore block
+  when: not _datastore_device_is_decrypted
+  block:
+    - name: Prompt for decryption key
+      no_log: true
+      ansible.builtin.pause:
+        prompt: >-
+          Datastore device {{ inventory_hostname }}:/dev/{{ skylab_datastore_device }} is not
+          decrypted. Enter decryption passphrase to continue GlusterFS brick configuration
+        echo: false
+      register: _luks_decryption_key
+
+    - name: Open LUKS device
+      become: true
+      community.crypto.luks_device:
+        device: /dev/{{ skylab_datastore_device }}
+        state: opened
+        name: brick
+        passphrase: "{{ _luks_decryption_key.user_input }}"
+
+    - name: Fetch updated block device information
+      ansible.builtin.command:
+        cmd: lsblk /dev/{{ skylab_datastore_device }} --fs --json
+      changed_when: false
+      register: _lsblk_info_raw
+
+    - name: Process updated block device information
+      ansible.builtin.set_fact:
+        _datastore_device_info: "{{ (_lsblk_info_raw.stdout | from_json).blockdevices[0] }}"
+
+- name: Create dummy fstab
+  ansible.builtin.file:
+    state: touch
+    path: "{{ skylab_state_dir }}/mounts"
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: 0644
+    access_time: preserve
+    modification_time: preserve
+
+- name: Mount datastore block
+  become: true
+  ansible.posix.mount:
+    path: /mnt/brick
+    src: UUID={{ _datastore_device_info.children[0].uuid }}
+    state: mounted
+    fstype: "{{ _datastore_device_info.children[0].fstype }}"
+    # Note that this just needs to be any path *other* than the actual
+    # fstab. This is done just to prevent the devices from being
+    # automatically mounted at boot
+    fstab: "{{ skylab_state_dir }}/mounts"

roles/datastore/tasks/packages.yaml

@@ -0,0 +1,31 @@
+---
+- name: Install gluster repository
+  become: true
+  ansible.builtin.dnf:
+    name: centos-release-gluster9
+    state: present
+  register: _datastore_repo_gluster
+
+- name: Enable required repositories
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/yum.repos.d/{{ item }}.repo
+    line: enabled=1
+    state: present
+    regexp: "#?enabled=(0|1)"
+  loop:
+    - Rocky-AppStream
+    - Rocky-PowerTools
+  register: _datastore_repo_powertools
+
+- name: Install datastore packages
+  become: true
+  when: ansible_distribution == "Rocky"
+  ansible.builtin.dnf:
+    state: present
+    update_cache: "{{ _datastore_repo_powertools.changed or _datastore_repo_gluster.changed }}"
+    name:
+      - cryptsetup-luks
+      - glusterfs
+      - glusterfs-fuse
+      - glusterfs-server