Trying a whole buncha stuff

2019-11-23 14:30:39 -05:00 · 2019-11-23 14:30:39 -05:00 · 62b95d4e22
commit 62b95d4e22
parent 11771acc17
24 changed files with 517 additions and 48 deletions
--- a/omni.ini
+++ b/omni.ini
@ -5,6 +5,7 @@ router.net.enp.one
 romulus.net.enp.one
 remus.net.enp.one
 novis.tre2.local
 jupiter.net.enp.one
 [vms]
 vm-db-mysql.net.enp.one
--- a/en1.toml
+++ b/en1.toml
@ -0,0 +1,47 @@
 [all.vars]
 ansible_user = "ansible"
 protected_users = ["root", "ansible"]
 enable_gui = false
 enable_ssh = true
 enable_ssh_password_auth = false
 disable_sudo_password = false
 enable_networkd = true
 [servers.hosts.jupiter]
 ansible_host = "jupiter.net.enp.one"
 description = "EN1 System Control Node"
 targets = ["admin", "network"]
 networking:
  eno1:
    dhcp: Yes
  eno2:
    addresses: ["192.168.255.10/24"]
 [servers.hosts.romulus]
 ansible_host = "romulus.net.enp.one"
 [servers.hosts.remus]
 ansible_host = "remus.net.enp.one"
 [servers.hosts.novis]
 ansible_host = "novis.tre2.local"
 [[servers.children]]
 "vms"
 [vms.vars]
 disable_sudo_password = true
 [vms.hosts.gitea]
 ansible_host = "vm-host-gitea.net.enp.one"
 [vms.hosts.plex]
 ansible_host = "vm-host-plex.net.enp.one"
 [vms.hosts.bitwarden]
 ansible_host = "vm-host-bitwarden.net.enp.one"
 [vms.hosts.nextcloud]
 ansible_host = "vm-host-nextcloud.net.enp.one"
 [vms.hosts.minecraft]
 ansible_host = "vm-host-minecraft.net.enp.one"
 [workstations.vars]
 enable_gui = true
 enable_ssh = false
 enable_networkd = false
--- a/en1.yaml
+++ b/en1.yaml
@ -0,0 +1,108 @@
 ---
 all:
  vars:
    ansible_user: ansible
    protected_users: ["root", "ansible"]
    enable_gui: false
    enable_ssh: true
    enable_ssh_password_auth: false
    disable_sudo_password: false
    enable_networkd: true
 network:
  hosts:
    router:
      ansible_host: router.net.enp.one
      ansible_network_os: edgeos
      ansible_connection: network_cli
      description: EN1 Core Gateway
      targets: ["admin", "network"]
 servers:
  vars:
    required_os: centos_8
  hosts:
    jupiter:
      ansible_host: jupiter.net.enp.one
      description: EN1 System Control Server
      targets: ["admin", "network"]
      networking:
        eno1:
          dhcp: true
        eno2:
          addresses: ["192.168.255.10/24"]
    romulus:
      ansible_host: romulus.net.enp.one
      description: EN1 Hypervisor/Datastore
      targets: ["admin", "datastore", "hypervisor"]
      networking:
        em2:
          addresses: ["192.168.255.20/24"]
    remus:
      ansible_host: remus.net.enp.one
      description: EN1 Hypervisor/Datastore
      targets: ["admin", "datastore", "hypervisor"]
      em2:
        addresses: ["192.168.255.30/24"]
    novis:
      ansible_host: novis.tre2.local
      description: EN1 Backup Storage
      targets: ["admin", "datastore"]
  children: ["vms"]
 vms:
  vars:
    disable_sudo_password: true
    required_os: centos_8
  hosts:
    gitea:
      ansible_host: vm-host-gitea.net.enp.one
      description: Application Host: Gitea VCS
      targets: ["admin", "vcs"]
      networking:
        eth0:
          dhcp: true
    plex:
      ansible_host: vm-host-plex.net.enp.one
      description: Application Host: Plex Media Server
      targets: ["admin", "plx"]
      networking:
        eth0:
          dhcp: true
    bitwarden:
      ansible_host: vm-host-bitwarden.net.enp.one
      description: Application Host: Bitwarden Password Manager
      targets: ["admin", "ssv"]
      networking:
        eth0:
          dhcp: true
    nextcloud:
      ansible_host: vm-host-nextcloud.net.enp.one
      description: Application Host: Nextcloud Web Storage
      targets: ["admin", "cfs"]
      networking:
        eth0:
          dhcp: true
 workstations:
  vars:
    enable_gui: true
    enable_ssh: false
    enable_networkd: false
  hosts:
    omega:
      ansible_host: localhost
      description: Last
      required_os: centos_7
      targets: ["admin", "recovery"]
    vigil-nox:
      ansible_host: localhost
      required_os: fedora_30
      description: Watchman
      targets: ["admin", "desktop"]
    serico-nox:
      ansible_host: localhost
      description: Silk
      required_os: fedora_30
      targets: ["admin", "desktop"]
    inerro:
      ansible_host: localhost
      description: Wanderer
      required_os: fedora_30
      targets: ["admin", "desktop"]
--- a/en2.yaml
+++ b/en2.yaml
@ -0,0 +1,17 @@
 ---
 all:
  vars:
    ansible_user: ansible
    protected_users: ["root", "ansible"]
    enable_gui: false
    enable_ssh: true
    enable_ssh_password_auth: false
    disable_sudo_password: false
    enable_networkd: false
 ungrouped:
  hosts:
    nimbus-1:
      ansible_host: en2.enp.one
      description: EN2 Digitial Ocean Cloud Server
      required_os: centos_7
      targets: ["admin", "network"]
--- a/hosts/jupiter.net.enp.one.yml
+++ b/hosts/jupiter.net.enp.one.yml
@ -0,0 +1,20 @@
 ---
 description: "EN1 System Control Node"
 targets:
  - admin
  - network
 networking:
  eno1:
    dhcp: Yes
  eno2:
    addresses: ["192.168.255.10/24"]
  # demo:
  #   addresses: ["192.168.1.10/24", "192.168.100.10/24"]
  #   dhcp: true
  #   dhcp6: true
  #   gateway: 192.168.1.1
  #   dns: ["8.8.8.8", "8.8.4.4"]
  #   vlans: ["101", "200"]
--- a/playbooks/dependencies.yml
+++ b/playbooks/dependencies.yml
@ -1,9 +1,26 @@
 ---
 - hosts: all
  name: Ansible python bindings
-  tags: always
+  tags:
    - always
    - initialize
  tasks:
-    - import_tasks: tasks/centos/bindings.yml
+    - name: Install CentOS python bindings
      when: ansible_distribution == "CentOS"
-    - import_tasks: tasks/fedora/bindings.yml
+      become: true
      dnf:
        state: latest
        name:
          - python3-libselinux
          - python3-policycoreutils
          - python3-firewall
    - name: Install Fedora python bindings
      when: ansible_distribution == "Fedora"
      become: true
      dnf:
        state: latest
        name:
          - libselinux-python
          - policycoreutils-python
          - python3-firewall
--- a/playbooks/deploy-homepage.yml
+++ b/playbooks/deploy-homepage.yml
@ -0,0 +1,38 @@
 ---
 - hosts: nimbus-1.net.enp.one
  name: Deploy main landing page at enpaul.net
  vars:
    # Local directory to use for cloning and building the documentation site
    DIR_BUILD: /tmp/docs
    # Remote directory to install the site at
    DIR_DEPLOY: /usr/share/nginx/enpaul.net/html
  tasks:
    - name: Upload static site to remote
      copy:
        src: "{{ DIR_BUILD }}/site/"
        dest: "/tmp/docs/"
    - name: Remove legacy site
      become: true
      file:
        path: "{{ DIR_DEPLOY }}"
        state: absent
    - name: Copy static site to deployment directory
      become: true
      copy:
        src: "/tmp/docs/"
        dest: "{{ DIR_DEPLOY }}"
        remote_src: true
        owner: root
        group: nginx
        mode: 0755
        setype: httpd_sys_content_t
    - name: Clean up local build directory
      delegate_to: 127.0.0.1
      file:
        path: "{{ DIR_BUILD }}"
        state: absent
    - name: Clean up remote temp directory
      file:
        path: /tmp/docs
        state: absent
--- a/playbooks/files/bashrc.sh
+++ b/playbooks/files/bashrc.sh
@ -1,16 +1,61 @@
 # Global network bashrc/profile file
 # Updated 2019-11-12
 function venv() {
        DIR="/home/$USERNAME/.venvs"
        if [ $# -eq 0 ]; then
                echo "No command specified"
        elif [ $1 = "--help" ] || [ $1 = '-h' ]; then
                echo "Custom python Virtualenv manager
 \"Because pipenv is too hard and everything else sucks\"
 Commands:
  list                 List available virtualenvs
  show                 Alias of list
  delete <venv>        Delete a virtualenv
  del                  Alias of delete
  rm                   Alias of delete
  load <venv>          Activate a virtualenv for usage
  new <venv> <python>  Create a new virtualenv. If <python> is not specified,
                       then the system default python is used
 "
        elif [ $1 = "list" ] || [ $1 = "show" ] || [ $1 = "ls" ]; then
                ls $DIR
        elif [ $1 = "load" ]; then
                . $DIR/$2/bin/activate
        elif [ $1 = "new" ]; then
                virtualenv $DIR/$2 --python=$3
        elif [ $1 = "delete" ] || [ $1 = "del" ] || [ $1 = "rm" ]; then
                rm -rf $DIR/$2
        elif [ $1 = "go" ]; then
                cd $DIR/$2
        fi
 }
 function parse_git_branch() {
    git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/'
 }
 function up() { cd $(eval printf '../'%.0s {1..$1}); }
 function pipin() { pip freeze | grep $1; }
 alias bk='cd -'
 alias fuck='sudo $(history -p \!\!)'
 alias doc='cd ~/Documents'
-alias explorer='nautilus'
+alias dn='cd ~/Downloads'
 alias version='uname -orp && lsb_release -a | grep Description'
 alias activate='source ./bin/activate'
 alias ipconfig='ip address show'
 alias cls='clear'
 alias mklink='ln -s'
-alias ls='ls -lshF --color --group-directories-first --time-style=long-iso'
+alias ls='/usr/bin/ls -lshF --color --group-directories-first --time-style=long-iso'
 alias gg='cd ~/Git'
-parse_git_branch() {
+alias gmtime='/usr/bin/date -u --iso-8601=seconds'
-    git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/ (\1)/'
+alias date='/usr/bin/date --iso-8601=seconds'
-}
+alias whatismyip='curl https://icanhazip.com/'
 export rc=/home/$USERNAME/.bashrc
 export PS1="\[\e[0;97m\]\[\e[37m\]\u\[\e[1;94m\]@\[\e[94m\]\H\[\e[0;33m\]$(parse_git_branch) \[\e[37m\]\w\[\e[33m\] \[\e[0;97m\]$\[\e[0m\] "
--- a/playbooks/initialize.yml
+++ b/playbooks/initialize.yml
@ -0,0 +1,34 @@
 ---
 - import_playbook: dependencies.yml
 - name: Setup environment
  hosts: all:!network
  tags:
    - initialize
  vars:
    restart_services: true
  roles:
    - role: packages
      vars:
        update: true
        exclude: [] # Override the default kernel exclusion
        clean: true
  tasks:
    - name: Set hostname
      become: true
      hostname:
        name: "{{ inventory_hostname }}"
    - name: Install global bashrc
      become: true
      copy:
        src: bashrc.sh
        dest: /etc/profile.d/ZA-enpn-bashrc.sh
        mode: 0644
 - name: Configure services
  hosts: all:!network
  tags:
    - initialize
  roles:
    - role: sshd
    - role: networkd
--- a/playbooks/provision.yml
+++ b/playbooks/provision.yml
@ -1,29 +1,11 @@
 ---
- import_playbook: dependencies.yml
+- import_playbook: initialize.yml
-
+- name: System packages
- hosts: all
+  hosts: all
-  name: Init
+  tags:
-  tags: initialize
+    - provision
-  tasks:
+    - initialize
    - name: Set hostname
      become: true
      hostname:
        name: "{{ default_host if default_host is defined else inventory_hostname }}"
    - name: Install global bashrc
      become: true
      copy:
        src: bashrc.sh
        dest: /etc/profile.d/global-bashrc.sh
        mode: 0644
    - import_tasks: tasks/sshd/banner.yml
 - hosts: all
  name: System packages
  tags: initialize
  tasks:
    - name: Load package variables
      include_vars:
--- a/playbooks/roles
+++ b/playbooks/roles
@ -0,0 +1 @@
 ../roles
--- a/playbooks/update-system.yml
+++ b/playbooks/update-system.yml
@ -2,6 +2,8 @@
 - hosts: all
  name: Upgrade packages
  tasks:
    - name: Upgrade YUM packages
      when: ansible_distribution == "CentOS"
      become: true
--- a/playbooks/update-users-network.yml
+++ b/playbooks/update-users-network.yml
@ -2,7 +2,12 @@
 - hosts: router.net.enp.one
  name: Configure users on router
  connection: network_cli
 <<<<<<< Updated upstream
  gather_facts: false
 =======
  vars:
    ansible_network_os: edgeos
 >>>>>>> Stashed changes
  tasks:
    - import_tasks: tasks/users-preprocessing.yml
@ -18,9 +23,9 @@
      edgeos_config:
        lines:
          - set system login user {{ item.name }} level admin
-      with_items:
+      loop: "{{ local_admin_users | difference([None]) }}"
        - "{{ local_admin_users | difference([None]) }}"
 <<<<<<< Updated upstream
    - name: Assemble loadkey files
      edgeos_command:
        commands:
@ -32,3 +37,23 @@
        lines:
          - loadkey {{ item }} /tmp/{{ item }}.keys
      loop: "{{ local_admin_users | difference([None]) }}"
 =======
    - name: Assemble key files for loadkey usage
      edgeos_command:
        commands: sudo tee /tmp/{{ item.name }}.keys<<<"{{ item.sshkeys | join('\n') }}"
      loop: "{{ local_admin_users | difference([None]) }}"
    # - name: Assemble loadkey files
    #   copy:
    #     src: keys/{{ item }}
    #     dest: /tmp
    #   with_items:
    #     - "{{ local_admin_users | difference([None]) }}"
    # - name: Load keys
    #   edgeos_config:
    #     lines:
    #       - loadkey {{ item }} /tmp/{{ item }}/*.pub
    #   with_items:
    #     - "{{ local_admin_users | difference([None]) }}"
 >>>>>>> Stashed changes
--- a/roles/docker_host/tasks/main.yml
+++ b/roles/docker_host/tasks/main.yml
@ -0,0 +1 @@
 ---
--- a/roles/networkd/tasks/main.yml
+++ b/roles/networkd/tasks/main.yml
@ -0,0 +1,49 @@
 ---
 - import_tasks: packages.yml
 - name: Delete networkd config directory
  become: true
  file:
    path: /etc/systemd/network
    state: absent
 - name: Create the networkd config directory
  become: true
  file:
    path: /etc/systemd/network
    state: directory
 - name: Make network files
  when: networking is defined
  become: true
  template:
    src: network.j2
    dest: "/etc/systemd/network/{{ item.key }}.network"
  loop: "{{ networking | dict2items }}"
 - name: Make netdev files
  when: networking is defined
  become: true
  template:
    src: netdev.j2
    dest: "/etc/systemd/network/{{ item.key }}.netdev"
  loop: "{{ networking | dict2items }}"
 - import_tasks: services.yml
 - name: Symlink so systemd-resolved uses /etc/resolv.conf
  become: true
  file:
    dest: /etc/resolv.conf
    src: /run/systemd/resolve/resolv.conf
    state: link
    force: true
    setype: net_conf_t
 - name: Symlink so /etc/resolv.conf uses systemd
  become: true
  file:
    dest: /etc/systemd/system/multi-user.target.wants/systemd-resolved.service
    src: /usr/lib/systemd/system/systemd-resolved.service
    state: link
    force: true
--- a/roles/networkd/tasks/packages.yml
+++ b/roles/networkd/tasks/packages.yml
@ -0,0 +1,8 @@
 ---
 - name: Install systemd-networkd
  become: true
  dnf:
    state: latest
    name:
      - systemd-resolved
      - systemd-networkd
--- a/roles/networkd/tasks/services.yml
+++ b/roles/networkd/tasks/services.yml
@ -0,0 +1,41 @@
 ---
 - name: Disable NetworkManager
  become: true
  systemd:
    name: "{{ item }}"
    enabled: false
  loop:
    - network
    - NetworkManager
    - NetworkManager-wait-online
 - name: Enable systemd-networkd
  become: true
  systemd:
    name: "{{ item }}"
    enabled: true
  loop:
    - systemd-networkd
    - systemd-resolved
    - systemd-networkd-wait-online
 - name: Stop NetworkManager
  when: restart_services | default(false) == true
  become: true
  systemd:
    name: "{{ item }}"
    state: stopped
  loop:
    - network
    - NetworkManager
    - NetworkManager-wait-online
 - name: Start systemd-networkd
  become: true
  systemd:
    name: "{{ item }}"
    state: started
  loop:
    - systemd-networkd
    - systemd-resolved
    - systemd-networkd-wait-online
--- a/roles/networkd/templates/netdev.j2
+++ b/roles/networkd/templates/netdev.j2
@ -0,0 +1,11 @@
 # ANSIBLE MANAGED FILE - DO NOT EDIT
 [NetDev]
 Name={{ item.key }}
 Kind=vlan
 {% if item.value['kind'] == 'vlan' %}
 [VLAN]
 Id={{ item.value['vlan'] }}
 {% endif %}
 # EOF
--- a/roles/networkd/templates/network.j2
+++ b/roles/networkd/templates/network.j2
@ -0,0 +1,27 @@
 # ANSIBLE MANAGED FILE - DO NOT EDIT
 [Match]
 Name={{ item.key }}
 [Network]
 DHCP={{ 'Yes' if item.value['dhcp'] | default(false) == true else 'No' }}
 IPv6AcceptRA={{ 'Yes' if item.value['dhcp6'] | default(false) == true else 'No' }}
 {% if item.value['addresses'] is defined %}
 {% for ip_addr in item.value['addresses'] %}
 Address={{ ip_addr }}
 {% endfor %}
 {% endif %}
 {% if item.value['dns'] is defined %}
 {% for dns_server in item.value['dns'] %}
 DNS={{ dns_server }}
 {% endfor %}
 {% endif %}
 {% if item.value['gateway'] is defined %}
 Gateway={{ item.value['gateway'] }}
 {% endif %}
 {% if item.value['vlans'] is defined %}
 {% for vlan_tag in item.value['vlans'] %}
 VLAN={{ item.key }}.{{ vlan_tag }}
 {% endfor %}
 {% endif %}
 # EOF
--- a/tasks/centos/bindings.yml
+++ b/tasks/centos/bindings.yml
@ -1,9 +1,9 @@
 ---
- name: Install python bindings using YUM
+- name: Install CentOS python bindings
  become: true
-  yum:
+  dnf:
    state: latest
    name:
-      - libselinux-python
+      - python3-libselinux
-      - policycoreutils-python
+      - python3-policycoreutils
-      - python-firewall
+      - python3-firewall
--- a/tasks/centos/repositories.yml
+++ b/tasks/centos/repositories.yml
@ -1,7 +1,7 @@
 ---
 - name: Enable Extra Packages for Enterprise Linux
  become: true
-  yum_repository:
+  dnf_repository:
    name: epel
    description: Extra Packages for Enterprise Linux
    baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/
@ -12,12 +12,6 @@
    state: present
    key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
 - name: Enable Inline with Upstream Stable
  become: true
  yum:
    state: latest
    name: https://centos7.iuscommunity.org/ius-release.rpm
 - name: Disable yum subscription-manager
  become: true
  lineinfile:
--- a/tasks/fedora/bindings.yml
+++ b/tasks/fedora/bindings.yml
@ -1,5 +1,5 @@
 ---
- name: Install python bindings using DNF
+- name: Install Fedora python bindings
  become: true
  dnf:
    state: latest
--- a/tasks/sshd/banner.yml
+++ b/tasks/sshd/banner.yml
@ -1,3 +1,4 @@
 ---
 - name: Install SSH Banner
  become: true
  template:
--- a/vars/packages.yml
+++ b/vars/packages.yml
@ -12,6 +12,7 @@ packages_global:
  - policycoreutils-python
  - python-devel
  - python-virtualenv
  - systemd-devel
  - unzip
  - vim
  - vim-minimal
@ -24,5 +25,4 @@ packages_yum:
  - bash-completion-extras
  - nc
  - nfs-utils
  - python36u
  - wget