diff --git a/omni.ini b/en1.ini similarity index 95% rename from omni.ini rename to en1.ini index 5dc122a..d250b50 100644 --- a/omni.ini +++ b/en1.ini @@ -5,6 +5,7 @@ router.net.enp.one romulus.net.enp.one remus.net.enp.one novis.tre2.local +jupiter.net.enp.one [vms] vm-db-mysql.net.enp.one diff --git a/en1.toml b/en1.toml new file mode 100644 index 0000000..0027256 --- /dev/null +++ b/en1.toml @@ -0,0 +1,47 @@ +[all.vars] +ansible_user = "ansible" +protected_users = ["root", "ansible"] +enable_gui = false +enable_ssh = true +enable_ssh_password_auth = false +disable_sudo_password = false +enable_networkd = true + +[servers.hosts.jupiter] +ansible_host = "jupiter.net.enp.one" +description = "EN1 System Control Node" +targets = ["admin", "network"] +networking: + eno1: + dhcp: Yes + eno2: + addresses: ["192.168.255.10/24"] +[servers.hosts.romulus] +ansible_host = "romulus.net.enp.one" +[servers.hosts.remus] +ansible_host = "remus.net.enp.one" +[servers.hosts.novis] +ansible_host = "novis.tre2.local" +[[servers.children]] +"vms" + + +[vms.vars] +disable_sudo_password = true + +[vms.hosts.gitea] +ansible_host = "vm-host-gitea.net.enp.one" +[vms.hosts.plex] +ansible_host = "vm-host-plex.net.enp.one" +[vms.hosts.bitwarden] +ansible_host = "vm-host-bitwarden.net.enp.one" +[vms.hosts.nextcloud] +ansible_host = "vm-host-nextcloud.net.enp.one" +[vms.hosts.minecraft] +ansible_host = "vm-host-minecraft.net.enp.one" + + +[workstations.vars] +enable_gui = true +enable_ssh = false +enable_networkd = false diff --git a/en1.yaml b/en1.yaml new file mode 100644 index 0000000..69fa093 --- /dev/null +++ b/en1.yaml @@ -0,0 +1,108 @@ +--- +all: + vars: + ansible_user: ansible + protected_users: ["root", "ansible"] + enable_gui: false + enable_ssh: true + enable_ssh_password_auth: false + disable_sudo_password: false + enable_networkd: true +network: + hosts: + router: + ansible_host: router.net.enp.one + ansible_network_os: edgeos + ansible_connection: network_cli + description: EN1 Core Gateway + targets: ["admin", "network"] +servers: + vars: + required_os: centos_8 + hosts: + jupiter: + ansible_host: jupiter.net.enp.one + description: EN1 System Control Server + targets: ["admin", "network"] + networking: + eno1: + dhcp: true + eno2: + addresses: ["192.168.255.10/24"] + romulus: + ansible_host: romulus.net.enp.one + description: EN1 Hypervisor/Datastore + targets: ["admin", "datastore", "hypervisor"] + networking: + em2: + addresses: ["192.168.255.20/24"] + remus: + ansible_host: remus.net.enp.one + description: EN1 Hypervisor/Datastore + targets: ["admin", "datastore", "hypervisor"] + em2: + addresses: ["192.168.255.30/24"] + novis: + ansible_host: novis.tre2.local + description: EN1 Backup Storage + targets: ["admin", "datastore"] + children: ["vms"] +vms: + vars: + disable_sudo_password: true + required_os: centos_8 + hosts: + gitea: + ansible_host: vm-host-gitea.net.enp.one + description: Application Host: Gitea VCS + targets: ["admin", "vcs"] + networking: + eth0: + dhcp: true + plex: + ansible_host: vm-host-plex.net.enp.one + description: Application Host: Plex Media Server + targets: ["admin", "plx"] + networking: + eth0: + dhcp: true + bitwarden: + ansible_host: vm-host-bitwarden.net.enp.one + description: Application Host: Bitwarden Password Manager + targets: ["admin", "ssv"] + networking: + eth0: + dhcp: true + nextcloud: + ansible_host: vm-host-nextcloud.net.enp.one + description: Application Host: Nextcloud Web Storage + targets: ["admin", "cfs"] + networking: + eth0: + dhcp: true +workstations: + vars: + enable_gui: true + enable_ssh: false + enable_networkd: false + hosts: + omega: + ansible_host: localhost + description: Last + required_os: centos_7 + targets: ["admin", "recovery"] + vigil-nox: + ansible_host: localhost + required_os: fedora_30 + description: Watchman + targets: ["admin", "desktop"] + serico-nox: + ansible_host: localhost + description: Silk + required_os: fedora_30 + targets: ["admin", "desktop"] + inerro: + ansible_host: localhost + description: Wanderer + required_os: fedora_30 + targets: ["admin", "desktop"] diff --git a/en2.yaml b/en2.yaml new file mode 100644 index 0000000..654c47d --- /dev/null +++ b/en2.yaml @@ -0,0 +1,17 @@ +--- +all: + vars: + ansible_user: ansible + protected_users: ["root", "ansible"] + enable_gui: false + enable_ssh: true + enable_ssh_password_auth: false + disable_sudo_password: false + enable_networkd: false +ungrouped: + hosts: + nimbus-1: + ansible_host: en2.enp.one + description: EN2 Digitial Ocean Cloud Server + required_os: centos_7 + targets: ["admin", "network"] diff --git a/hosts/jupiter.net.enp.one.yml b/hosts/jupiter.net.enp.one.yml new file mode 100644 index 0000000..08cb40a --- /dev/null +++ b/hosts/jupiter.net.enp.one.yml @@ -0,0 +1,20 @@ +--- +description: "EN1 System Control Node" + +targets: + - admin + - network + +networking: + eno1: + dhcp: Yes + eno2: + addresses: ["192.168.255.10/24"] + + # demo: + # addresses: ["192.168.1.10/24", "192.168.100.10/24"] + # dhcp: true + # dhcp6: true + # gateway: 192.168.1.1 + # dns: ["8.8.8.8", "8.8.4.4"] + # vlans: ["101", "200"] diff --git a/playbooks/dependencies.yml b/playbooks/dependencies.yml index 31b5941..727ecd0 100644 --- a/playbooks/dependencies.yml +++ b/playbooks/dependencies.yml @@ -1,9 +1,26 @@ --- - hosts: all name: Ansible python bindings - tags: always + tags: + - always + - initialize tasks: - - import_tasks: tasks/centos/bindings.yml + - name: Install CentOS python bindings when: ansible_distribution == "CentOS" - - import_tasks: tasks/fedora/bindings.yml + become: true + dnf: + state: latest + name: + - python3-libselinux + - python3-policycoreutils + - python3-firewall + + - name: Install Fedora python bindings when: ansible_distribution == "Fedora" + become: true + dnf: + state: latest + name: + - libselinux-python + - policycoreutils-python + - python3-firewall diff --git a/playbooks/deploy-homepage.yml b/playbooks/deploy-homepage.yml new file mode 100644 index 0000000..4b93242 --- /dev/null +++ b/playbooks/deploy-homepage.yml @@ -0,0 +1,38 @@ +--- +- hosts: nimbus-1.net.enp.one + name: Deploy main landing page at enpaul.net + vars: + # Local directory to use for cloning and building the documentation site + DIR_BUILD: /tmp/docs + # Remote directory to install the site at + DIR_DEPLOY: /usr/share/nginx/enpaul.net/html + tasks: + - name: Upload static site to remote + copy: + src: "{{ DIR_BUILD }}/site/" + dest: "/tmp/docs/" + - name: Remove legacy site + become: true + file: + path: "{{ DIR_DEPLOY }}" + state: absent + - name: Copy static site to deployment directory + become: true + copy: + src: "/tmp/docs/" + dest: "{{ DIR_DEPLOY }}" + remote_src: true + owner: root + group: nginx + mode: 0755 + setype: httpd_sys_content_t + + - name: Clean up local build directory + delegate_to: 127.0.0.1 + file: + path: "{{ DIR_BUILD }}" + state: absent + - name: Clean up remote temp directory + file: + path: /tmp/docs + state: absent diff --git a/playbooks/files/bashrc.sh b/playbooks/files/bashrc.sh index cf63a3e..5e3b1c8 100644 --- a/playbooks/files/bashrc.sh +++ b/playbooks/files/bashrc.sh @@ -1,16 +1,61 @@ +# Global network bashrc/profile file +# Updated 2019-11-12 + +function venv() { + DIR="/home/$USERNAME/.venvs" + + if [ $# -eq 0 ]; then + echo "No command specified" + + elif [ $1 = "--help" ] || [ $1 = '-h' ]; then + echo "Custom python Virtualenv manager +\"Because pipenv is too hard and everything else sucks\" + +Commands: + list List available virtualenvs + show Alias of list + delete Delete a virtualenv + del Alias of delete + rm Alias of delete + load Activate a virtualenv for usage + new Create a new virtualenv. If is not specified, + then the system default python is used +" + elif [ $1 = "list" ] || [ $1 = "show" ] || [ $1 = "ls" ]; then + ls $DIR + elif [ $1 = "load" ]; then + . $DIR/$2/bin/activate + elif [ $1 = "new" ]; then + virtualenv $DIR/$2 --python=$3 + elif [ $1 = "delete" ] || [ $1 = "del" ] || [ $1 = "rm" ]; then + rm -rf $DIR/$2 + elif [ $1 = "go" ]; then + cd $DIR/$2 + fi +} + +function parse_git_branch() { + git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/' +} + function up() { cd $(eval printf '../'%.0s {1..$1}); } + +function pipin() { pip freeze | grep $1; } + +alias bk='cd -' alias fuck='sudo $(history -p \!\!)' alias doc='cd ~/Documents' -alias explorer='nautilus' +alias dn='cd ~/Downloads' alias version='uname -orp && lsb_release -a | grep Description' alias activate='source ./bin/activate' alias ipconfig='ip address show' alias cls='clear' alias mklink='ln -s' -alias ls='ls -lshF --color --group-directories-first --time-style=long-iso' +alias ls='/usr/bin/ls -lshF --color --group-directories-first --time-style=long-iso' alias gg='cd ~/Git' -parse_git_branch() { - git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/' -} +alias gmtime='/usr/bin/date -u --iso-8601=seconds' +alias date='/usr/bin/date --iso-8601=seconds' +alias whatismyip='curl https://icanhazip.com/' +export rc=/home/$USERNAME/.bashrc export PS1="\[\e[0;97m\]\[\e[37m\]\u\[\e[1;94m\]@\[\e[94m\]\H\[\e[0;33m\]$(parse_git_branch) \[\e[37m\]\w\[\e[33m\] \[\e[0;97m\]$\[\e[0m\] " diff --git a/playbooks/initialize.yml b/playbooks/initialize.yml new file mode 100644 index 0000000..9becaa9 --- /dev/null +++ b/playbooks/initialize.yml @@ -0,0 +1,34 @@ +--- +- import_playbook: dependencies.yml + +- name: Setup environment + hosts: all:!network + tags: + - initialize + vars: + restart_services: true + roles: + - role: packages + vars: + update: true + exclude: [] # Override the default kernel exclusion + clean: true + tasks: + - name: Set hostname + become: true + hostname: + name: "{{ inventory_hostname }}" + - name: Install global bashrc + become: true + copy: + src: bashrc.sh + dest: /etc/profile.d/ZA-enpn-bashrc.sh + mode: 0644 + +- name: Configure services + hosts: all:!network + tags: + - initialize + roles: + - role: sshd + - role: networkd diff --git a/playbooks/provision.yml b/playbooks/provision.yml index ceca4d9..232cb85 100644 --- a/playbooks/provision.yml +++ b/playbooks/provision.yml @@ -1,29 +1,11 @@ --- -- import_playbook: dependencies.yml +- import_playbook: initialize.yml - -- hosts: all - name: Init - tags: initialize - tasks: - - name: Set hostname - become: true - hostname: - name: "{{ default_host if default_host is defined else inventory_hostname }}" - - - name: Install global bashrc - become: true - copy: - src: bashrc.sh - dest: /etc/profile.d/global-bashrc.sh - mode: 0644 - - - import_tasks: tasks/sshd/banner.yml - - -- hosts: all - name: System packages - tags: initialize +- name: System packages + hosts: all + tags: + - provision + - initialize tasks: - name: Load package variables include_vars: diff --git a/playbooks/roles b/playbooks/roles new file mode 120000 index 0000000..d8c4472 --- /dev/null +++ b/playbooks/roles @@ -0,0 +1 @@ +../roles \ No newline at end of file diff --git a/playbooks/update-system.yml b/playbooks/update-system.yml index 34c8e6b..ec0bf4d 100644 --- a/playbooks/update-system.yml +++ b/playbooks/update-system.yml @@ -2,6 +2,8 @@ - hosts: all name: Upgrade packages tasks: + + - name: Upgrade YUM packages when: ansible_distribution == "CentOS" become: true diff --git a/playbooks/update-users-network.yml b/playbooks/update-users-network.yml index fbc8740..73713a3 100644 --- a/playbooks/update-users-network.yml +++ b/playbooks/update-users-network.yml @@ -2,7 +2,12 @@ - hosts: router.net.enp.one name: Configure users on router connection: network_cli +<<<<<<< Updated upstream gather_facts: false +======= + vars: + ansible_network_os: edgeos +>>>>>>> Stashed changes tasks: - import_tasks: tasks/users-preprocessing.yml @@ -18,9 +23,9 @@ edgeos_config: lines: - set system login user {{ item.name }} level admin - with_items: - - "{{ local_admin_users | difference([None]) }}" + loop: "{{ local_admin_users | difference([None]) }}" +<<<<<<< Updated upstream - name: Assemble loadkey files edgeos_command: commands: @@ -32,3 +37,23 @@ lines: - loadkey {{ item }} /tmp/{{ item }}.keys loop: "{{ local_admin_users | difference([None]) }}" +======= + - name: Assemble key files for loadkey usage + edgeos_command: + commands: sudo tee /tmp/{{ item.name }}.keys<<<"{{ item.sshkeys | join('\n') }}" + loop: "{{ local_admin_users | difference([None]) }}" + + # - name: Assemble loadkey files + # copy: + # src: keys/{{ item }} + # dest: /tmp + # with_items: + # - "{{ local_admin_users | difference([None]) }}" + + # - name: Load keys + # edgeos_config: + # lines: + # - loadkey {{ item }} /tmp/{{ item }}/*.pub + # with_items: + # - "{{ local_admin_users | difference([None]) }}" +>>>>>>> Stashed changes diff --git a/roles/docker_host/tasks/main.yml b/roles/docker_host/tasks/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/docker_host/tasks/main.yml @@ -0,0 +1 @@ +--- diff --git a/roles/networkd/tasks/main.yml b/roles/networkd/tasks/main.yml new file mode 100644 index 0000000..c00f238 --- /dev/null +++ b/roles/networkd/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- import_tasks: packages.yml + +- name: Delete networkd config directory + become: true + file: + path: /etc/systemd/network + state: absent + +- name: Create the networkd config directory + become: true + file: + path: /etc/systemd/network + state: directory + +- name: Make network files + when: networking is defined + become: true + template: + src: network.j2 + dest: "/etc/systemd/network/{{ item.key }}.network" + loop: "{{ networking | dict2items }}" + +- name: Make netdev files + when: networking is defined + become: true + template: + src: netdev.j2 + dest: "/etc/systemd/network/{{ item.key }}.netdev" + loop: "{{ networking | dict2items }}" + +- import_tasks: services.yml + +- name: Symlink so systemd-resolved uses /etc/resolv.conf + become: true + file: + dest: /etc/resolv.conf + src: /run/systemd/resolve/resolv.conf + state: link + force: true + setype: net_conf_t + +- name: Symlink so /etc/resolv.conf uses systemd + become: true + file: + dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service + src: /usr/lib/systemd/system/systemd-resolved.service + state: link + force: true diff --git a/roles/networkd/tasks/packages.yml b/roles/networkd/tasks/packages.yml new file mode 100644 index 0000000..b0b76a9 --- /dev/null +++ b/roles/networkd/tasks/packages.yml @@ -0,0 +1,8 @@ +--- +- name: Install systemd-networkd + become: true + dnf: + state: latest + name: + - systemd-resolved + - systemd-networkd diff --git a/roles/networkd/tasks/services.yml b/roles/networkd/tasks/services.yml new file mode 100644 index 0000000..3d721f5 --- /dev/null +++ b/roles/networkd/tasks/services.yml @@ -0,0 +1,41 @@ +--- +- name: Disable NetworkManager + become: true + systemd: + name: "{{ item }}" + enabled: false + loop: + - network + - NetworkManager + - NetworkManager-wait-online + +- name: Enable systemd-networkd + become: true + systemd: + name: "{{ item }}" + enabled: true + loop: + - systemd-networkd + - systemd-resolved + - systemd-networkd-wait-online + +- name: Stop NetworkManager + when: restart_services | default(false) == true + become: true + systemd: + name: "{{ item }}" + state: stopped + loop: + - network + - NetworkManager + - NetworkManager-wait-online + +- name: Start systemd-networkd + become: true + systemd: + name: "{{ item }}" + state: started + loop: + - systemd-networkd + - systemd-resolved + - systemd-networkd-wait-online diff --git a/roles/networkd/templates/netdev.j2 b/roles/networkd/templates/netdev.j2 new file mode 100644 index 0000000..73e28af --- /dev/null +++ b/roles/networkd/templates/netdev.j2 @@ -0,0 +1,11 @@ +# ANSIBLE MANAGED FILE - DO NOT EDIT +[NetDev] +Name={{ item.key }} +Kind=vlan +{% if item.value['kind'] == 'vlan' %} + +[VLAN] +Id={{ item.value['vlan'] }} +{% endif %} + +# EOF diff --git a/roles/networkd/templates/network.j2 b/roles/networkd/templates/network.j2 new file mode 100644 index 0000000..e251a56 --- /dev/null +++ b/roles/networkd/templates/network.j2 @@ -0,0 +1,27 @@ +# ANSIBLE MANAGED FILE - DO NOT EDIT +[Match] +Name={{ item.key }} + +[Network] +DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }} +IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }} +{% if item.value['addresses'] is defined %} +{% for ip_addr in item.value['addresses'] %} +Address={{ ip_addr }} +{% endfor %} +{% endif %} +{% if item.value['dns'] is defined %} +{% for dns_server in item.value['dns'] %} +DNS={{ dns_server }} +{% endfor %} +{% endif %} +{% if item.value['gateway'] is defined %} +Gateway={{ item.value['gateway'] }} +{% endif %} +{% if item.value['vlans'] is defined %} +{% for vlan_tag in item.value['vlans'] %} +VLAN={{ item.key }}.{{ vlan_tag }} +{% endfor %} +{% endif %} + +# EOF diff --git a/tasks/centos/bindings.yml b/tasks/centos/bindings.yml index 182bae7..ca0b30b 100644 --- a/tasks/centos/bindings.yml +++ b/tasks/centos/bindings.yml @@ -1,9 +1,9 @@ --- -- name: Install python bindings using YUM +- name: Install CentOS python bindings become: true - yum: + dnf: state: latest name: - - libselinux-python - - policycoreutils-python - - python-firewall + - python3-libselinux + - python3-policycoreutils + - python3-firewall diff --git a/tasks/centos/repositories.yml b/tasks/centos/repositories.yml index cb420f6..15b04e0 100644 --- a/tasks/centos/repositories.yml +++ b/tasks/centos/repositories.yml @@ -1,7 +1,7 @@ --- - name: Enable Extra Packages for Enterprise Linux become: true - yum_repository: + dnf_repository: name: epel description: Extra Packages for Enterprise Linux baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/ @@ -12,12 +12,6 @@ state: present key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 -- name: Enable Inline with Upstream Stable - become: true - yum: - state: latest - name: https://centos7.iuscommunity.org/ius-release.rpm - - name: Disable yum subscription-manager become: true lineinfile: diff --git a/tasks/fedora/bindings.yml b/tasks/fedora/bindings.yml index 9ba0928..e0e9ecc 100644 --- a/tasks/fedora/bindings.yml +++ b/tasks/fedora/bindings.yml @@ -1,5 +1,5 @@ --- -- name: Install python bindings using DNF +- name: Install Fedora python bindings become: true dnf: state: latest diff --git a/tasks/sshd/banner.yml b/tasks/sshd/banner.yml index 907337c..1920feb 100644 --- a/tasks/sshd/banner.yml +++ b/tasks/sshd/banner.yml @@ -1,3 +1,4 @@ +--- - name: Install SSH Banner become: true template: diff --git a/vars/packages.yml b/vars/packages.yml index b8e831c..3e2539f 100644 --- a/vars/packages.yml +++ b/vars/packages.yml @@ -12,6 +12,7 @@ packages_global: - policycoreutils-python - python-devel - python-virtualenv + - systemd-devel - unzip - vim - vim-minimal @@ -24,5 +25,4 @@ packages_yum: - bash-completion-extras - nc - nfs-utils - - python36u - wget